@qlik/api 1.32.0 → 1.34.0

package/chunks/{FKDGGR2O.js → I2HA7WJB.js}

@@ -1,49 +1,55 @@
 import {
   getInterceptors
-} from "./3RGGGGAR.js";
+} from "./ZCTVPXGO.js";
 import {
+  cleanFalsyValues,
   isBrowser,
-  isNode
-} from "./2ZQ3ZX7F.js";
+  isNode,
+  sortKeys
+} from "./7MMXU6EL.js";
 
-// src/auth/internal/host-config-registry.ts
-var registeredHostConfigs = {};
-function registerHostConfigInternal(name, hostConfig) {
-  if (hostConfig?.reference) {
-    throw new InvalidHostConfigError("Cannot register a host config with a reference");
-  }
-  if (registeredHostConfigs[name]) {
-    console.warn(`registerHostConfig: Host config with name "${name}" is already registered. Overwriting.`);
-  }
-  registeredHostConfigs[name] = hostConfig;
-}
-function unregisterHostConfigInternal(name) {
-  if (registeredHostConfigs[name]) {
-    delete registeredHostConfigs[name];
-  } else {
-    console.warn(`unregisterHostConfig: Host config with name "${name}" not found.`);
+// src/invoke-fetch/invoke-fetch-errors.ts
+var InvokeFetchError = class extends Error {
+  status;
+  headers;
+  data;
+  constructor(errorMessage, status, headers, data) {
+    super(errorMessage);
+    this.status = status;
+    this.headers = headers;
+    this.data = data;
+    this.stack = cleanStack(this.stack);
   }
-}
-function getRegisteredHostConfigInternal(name) {
-  if (!registeredHostConfigs[name]) {
-    throw new Error(`Host config with name "${name}" not found.`);
+};
+var EncodingError = class extends Error {
+  contentType;
+  data;
+  constructor(errorMessage, contentType, data) {
+    super(errorMessage);
+    this.contentType = contentType;
+    this.data = data;
+    this.stack = cleanStack(this.stack);
   }
-  return registeredHostConfigs[name];
-}
-
-// src/auth/internal/default-host-config.ts
-var defaultHostConfig = {};
-function setDefaultHostConfigInternal(hostConfig) {
-  defaultHostConfig = hostConfig || {};
-}
-function withResolvedHostConfig(hostConfig) {
-  if (hostConfig?.reference) {
-    return getRegisteredHostConfigInternal(hostConfig.reference);
+};
+var regex = /^.+\/qmfe-api(?:\.js)?:(\d+)(?::\d+)?$/gim;
+var isFromQmfeApi = (line) => {
+  const matches = line.match(regex);
+  return Boolean(matches && matches.length > 0);
+};
+function cleanStack(stack) {
+  if (!stack) {
+    return stack;
   }
-  if (hostConfig && Object.keys(hostConfig).length > 0) {
-    return hostConfig;
+  const newStack = [];
+  const lines = stack.split("\n");
+  lines.reverse();
+  for (const line of lines) {
+    if (isFromQmfeApi(line)) {
+      break;
+    }
+    newStack.unshift(line);
   }
-  return defaultHostConfig;
+  return newStack.join("\n");
 }
 
 // src/platform/platform-functions.ts
@@ -151,943 +157,920 @@ var result = (data) => ({
   ...data
 });
 
-// src/auth/internal/auth-module-registry.ts
-var authModules = {};
-var ongoingAuthModuleLoading = Promise.resolve();
-function registerAuthModule(name, authModule) {
-  authModules[name.toLowerCase()] = authModule;
-}
-function getRegisteredAuthModules() {
-  return Object.keys(authModules);
-}
-function getRegisteredAuthModule(authType) {
-  return authModules[authType.toLowerCase()];
+// src/auth/auth-types.ts
+var hostConfigCommonProperties = [
+  "authType",
+  "autoRedirect",
+  "authRedirectUserConfirmation",
+  "embedRuntimeUrl",
+  "host",
+  "onAuthFailed"
+];
+var authTypesThatCanBeOmitted = [
+  "apikey",
+  "oauth2",
+  "cookie",
+  "windowscookie",
+  "reference",
+  "anonymous"
+];
+
+// src/utils/random.ts
+import { customAlphabet, nanoid } from "nanoid";
+function generateRandomString(targetLength) {
+  return nanoid(targetLength);
 }
-async function getAuthModule(hostConfig) {
-  const hostConfigToUse = withResolvedHostConfig(hostConfig);
-  const authType = await determineAuthType(hostConfigToUse);
-  if (ongoingAuthModuleLoading) {
-    await ongoingAuthModuleLoading;
-  }
-  let authModule = getRegisteredAuthModule(authType);
-  if (!authModule) {
-    ongoingAuthModuleLoading = (async () => {
-      authModule = await resolveGloballyDefinedAuthModule(authType);
-      if (authModule) {
-        registerAuthModule(authType, authModule);
-      }
-    })();
-    await ongoingAuthModuleLoading;
-  }
-  if (!authModule) {
-    throw new InvalidAuthTypeError(authType);
-  }
-  if (authModule.validateHostConfig) {
-    authModule.validateHostConfig({ authType, ...hostConfigToUse });
-  }
-  return authModule;
+function generateRandomHexString(targetLength) {
+  return customAlphabet("1234567890abcdef", targetLength)();
 }
-async function resolveGloballyDefinedAuthModule(authType) {
-  const globalWindow = globalThis;
-  const globalVariable = globalWindow[authType];
-  if (globalVariable) {
-    let potentialAuthModule;
-    if (typeof globalVariable === "function") {
-      potentialAuthModule = await globalVariable();
-    } else {
-      potentialAuthModule = globalVariable;
-    }
-    if (potentialAuthModule && potentialAuthModule.getRestCallAuthParams && potentialAuthModule.getWebSocketAuthParams && potentialAuthModule.handleAuthenticationError) {
-      return potentialAuthModule;
+
+// src/utils/expose-internal-test-apis.ts
+var internalApisName = "__QLIK_INTERNAL__DO_NOT_USE_OR_YOU_WILL_BE_FIRED";
+function exposeInternalApiOnWindow(name, fn) {
+  if (globalThis.location?.origin.startsWith("https://localhost:") || globalThis.location?.origin?.endsWith("qlik-stage.com")) {
+    if (globalThis[internalApisName] === void 0) {
+      globalThis[internalApisName] = {};
     }
-    console.error("Not a valid auth module", potentialAuthModule);
-    throw new InvalidAuthTypeError(authType);
+    globalThis[internalApisName][name] = fn;
   }
-  return Promise.resolve(void 0);
 }
 
-// src/auth/auth-errors.ts
-var InvalidHostConfigError = class extends Error {
-  constructor(message) {
-    super(`Invalid host config: ${message}`);
-    this.name = "InvalidHostConfigError";
-  }
-};
-var UnexpectedAuthTypeError = class extends Error {
-  constructor(...expectedAuthTypes) {
-    const ors = expectedAuthTypes.map((item, index) => index === 0 ? `"${item}"` : `or "${item}"`).join(" ");
-    super(`HostConfig is not properly configured. authType is expected to be ${ors}`);
-    this.name = "UnexpectedAuthTypeError";
-  }
-};
-var InvalidAuthTypeError = class extends Error {
-  constructor(authType) {
-    const validAuthModules = getRegisteredAuthModules();
-    super(
-      `Not a valid auth type: ${authType}, valid auth types are; '${validAuthModules.filter((name) => name.toLowerCase() !== "qmfeembedframerauthmodule").join("', '")}'`
-    );
-    this.name = "InvalidAuthTypeError";
+// src/auth/internal/default-auth-modules/oauth/storage-helpers.ts
+var storagePrefix = "qlik-qmfe-api";
+function getTopicFromOauthHostConfig(hostConfig) {
+  let topic = hostConfig.clientId + (hostConfig.scope ? `_${hostConfig.scope}` : "_user_default");
+  if (hostConfig.subject) {
+    topic += `_${hostConfig.subject}`;
   }
-};
-function errorToString({ title, detail, code, status }) {
-  if (detail) {
-    return `${title} - ${detail} (Status: ${status}, Code: ${code})`;
+  if (hostConfig.userId) {
+    topic += `_${hostConfig.userId}`;
   }
-  return `${title} (Status: ${status}, Code: ${code})`;
+  return topic;
 }
-var AuthorizationError = class extends Error {
-  errors;
-  constructor(errors) {
-    if (typeof errors !== "object") {
-      super("Unknown error");
-      return;
-    }
-    const errorArray = Array.isArray(errors) ? errors : [errors];
-    super(errorArray.map(errorToString).join(", "));
-    this.errors = errorArray;
-  }
-};
-
-// src/auth/auth-functions.ts
-var lastErrorMessage = "";
-function logToConsole({ message }) {
-  if (message !== lastErrorMessage) {
-    lastErrorMessage = message;
-    console.error(message);
-  }
+function getTopicFromAnonHostConfig(hostConfig) {
+  return `${hostConfig.accessCode}_${hostConfig.clientId}`;
 }
-function isHostCrossOrigin(hostConfig) {
-  if (!globalThis.location?.origin) {
-    return true;
-  }
-  const hostConfigToUse = withResolvedHostConfig(hostConfig);
-  if (Object.keys(hostConfigToUse).length === 0) {
-    return false;
-  }
-  try {
-    const locationUrl = new URL(toValidLocationUrl(hostConfigToUse));
-    return locationUrl.origin !== globalThis.location.origin;
-  } catch {
+var cachedTokens = {};
+function clearAllCachedTokens() {
+  for (const key in cachedTokens) {
+    delete cachedTokens[key];
   }
-  return false;
 }
-async function isWindows(hostConfig) {
-  const hostConfigToUse = withResolvedHostConfig(hostConfig);
-  if (typeof hostConfigToUse.forceIsWindows === "boolean") {
-    return hostConfigToUse.forceIsWindows;
+exposeInternalApiOnWindow("clearAllAccessTokens", () => {
+  console.log("Clearing tokens", cachedTokens);
+  Object.keys(cachedTokens).forEach((key) => {
+    console.log("Clearing access tokens for", key);
+    deleteFromLocalStorage(key, ["access-token", "refresh-token"]);
+    deleteFromSessionStorage(key, ["access-token", "refresh-token"]);
+  });
+  clearAllCachedTokens();
+});
+function saveInLocalStorage(topic, name, value) {
+  localStorage.setItem(`${storagePrefix}-${topic}-${name}`, value);
+}
+function saveInSessionStorage(topic, name, value) {
+  sessionStorage.setItem(`${storagePrefix}-${topic}-${name}`, value);
+}
+function loadFromLocalStorage(topic, name) {
+  return localStorage.getItem(`${storagePrefix}-${topic}-${name}`) || void 0;
+}
+function loadFromSessionStorage(topic, name) {
+  return sessionStorage.getItem(`${storagePrefix}-${topic}-${name}`) || void 0;
+}
+function deleteFromLocalStorage(topic, names) {
+  names.forEach((name) => localStorage.removeItem(`${storagePrefix}-${topic}-${name}`));
+}
+function deleteFromSessionStorage(topic, names) {
+  names.forEach((name) => sessionStorage.removeItem(`${storagePrefix}-${topic}-${name}`));
+}
+function loadAndDeleteFromSessionStorage(topic, name) {
+  const id = `${storagePrefix}-${topic}-${name}`;
+  const result2 = sessionStorage.getItem(id) || void 0;
+  sessionStorage.removeItem(id);
+  return result2;
+}
+function loadOauthTokensFromStorage(topic, accessTokenStorage) {
+  let accessToken;
+  let refreshToken;
+  if (accessTokenStorage === "local") {
+    accessToken = loadFromLocalStorage(topic, "access-token");
+    refreshToken = loadFromLocalStorage(topic, "refresh-token");
+  } else if (accessTokenStorage === "session") {
+    accessToken = loadFromSessionStorage(topic, "access-token");
+    refreshToken = loadFromSessionStorage(topic, "refresh-token");
   }
-  if (hostConfigToUse.authType === "cookie") {
-    return false;
+  if (accessToken) {
+    return {
+      accessToken,
+      refreshToken
+    };
   }
-  if (hostConfigToUse.authType === "windowscookie") {
-    return true;
+  return void 0;
+}
+async function loadCachedOauthTokens(hostConfig) {
+  return cachedTokens[getTopicFromOauthHostConfig(hostConfig)];
+}
+async function loadOrAcquireAccessTokenOauth(hostConfig, acquireTokens) {
+  if (!hostConfig.clientId) {
+    throw new InvalidHostConfigError('A host config with authType set to "oauth2" has to also provide a clientId');
   }
-  return (await getPlatform({ hostConfig })).isWindows;
+  const topic = getTopicFromOauthHostConfig(hostConfig);
+  return loadOrAcquireAccessToken(topic, acquireTokens, hostConfig.noCache, hostConfig.accessTokenStorage);
 }
-function toValidLocationUrl(hostConfig) {
-  const url = withResolvedHostConfig(hostConfig)?.host;
-  let locationUrl;
-  if (!url) {
-    locationUrl = "";
-  } else if (url.toLowerCase().startsWith("https://") || url.toLowerCase().startsWith("http://")) {
-    locationUrl = url;
-  } else {
-    locationUrl = `https://${url}`;
-  }
-  while (locationUrl[locationUrl.length - 1] === "/") {
-    locationUrl = locationUrl.substring(0, locationUrl.length - 1);
+async function loadOrAcquireAccessTokenAnon(hostConfig, acquireTokens) {
+  if (!hostConfig.accessCode) {
+    throw new InvalidHostConfigError(
+      'A host config with authType set to "anonymous" has to also provide an accessCode'
+    );
   }
-  return locationUrl;
+  const topic = getTopicFromAnonHostConfig(hostConfig);
+  return loadOrAcquireAccessToken(topic, acquireTokens, false, void 0);
 }
-function toValidWebsocketLocationUrl(hostConfig) {
-  const url = withResolvedHostConfig(hostConfig)?.host;
-  let locationUrl;
-  if (!url) {
-    locationUrl = globalThis.location.origin;
-  } else if (url.toLowerCase().startsWith("https://") || url.toLowerCase().startsWith("http://")) {
-    locationUrl = url;
-  } else {
-    locationUrl = `https://${url}`;
-  }
-  while (locationUrl[locationUrl.length - 1] === "/") {
-    locationUrl = locationUrl.substring(0, locationUrl.length - 1);
+async function loadOrAcquireAccessToken(topic, acquireTokens, noCache, accessTokenStorage) {
+  if (noCache) {
+    return acquireTokens();
   }
-  return locationUrl.replace(leadingHttp, "ws");
-}
-async function getWebSocketAuthParams(props) {
-  const hostConfigToUse = withResolvedHostConfig(props.hostConfig);
-  try {
-    const authModule = await getAuthModule(hostConfigToUse);
-    return await authModule.getWebSocketAuthParams({
-      ...props,
-      hostConfig: hostConfigToUse
-    });
-  } catch (err) {
-    (hostConfigToUse.onAuthFailed || logToConsole)(normalizeAuthModuleError(err));
-    throw err;
+  const mayUseStorage = isBrowser();
+  const storedOauthTokens = cachedTokens[topic] || (mayUseStorage ? loadOauthTokensFromStorage(topic, accessTokenStorage) : void 0);
+  if (storedOauthTokens) {
+    cachedTokens[topic] = storedOauthTokens;
+    return Promise.resolve(storedOauthTokens);
   }
-}
-async function getWebResourceAuthParams(props) {
-  const hostConfigToUse = withResolvedHostConfig(props.hostConfig);
-  try {
-    const authModule = await getAuthModule(hostConfigToUse);
-    return await authModule.getWebResourceAuthParams?.({
-      ...props,
-      hostConfig: hostConfigToUse
-    }) || { queryParams: {} };
-  } catch (err) {
-    (hostConfigToUse.onAuthFailed || logToConsole)(normalizeAuthModuleError(err));
-    throw err;
+  const tokensPromise = acquireTokens();
+  cachedTokens[topic] = tokensPromise;
+  if (mayUseStorage) {
+    const tokens = await tokensPromise;
+    if (accessTokenStorage === "local" && tokens) {
+      if (tokens.accessToken) {
+        saveInLocalStorage(topic, "access-token", tokens.accessToken);
+      }
+      if (tokens.refreshToken) {
+        saveInLocalStorage(topic, "refresh-token", tokens.refreshToken);
+      }
+    } else if (accessTokenStorage === "session" && tokens) {
+      if (tokens.accessToken) {
+        saveInSessionStorage(topic, "access-token", tokens.accessToken);
+      }
+      if (tokens.refreshToken) {
+        saveInSessionStorage(topic, "refresh-token", tokens.refreshToken);
+      }
+    }
   }
+  return tokensPromise;
 }
-async function handleAuthenticationError(props) {
-  const hostConfigToUse = withResolvedHostConfig(props.hostConfig);
-  const authModule = await getAuthModule(hostConfigToUse);
-  const result2 = await authModule.handleAuthenticationError({
-    ...props,
-    hostConfig: hostConfigToUse
-  });
-  const willRetry = props.canRetry && result2.retry;
-  const willHangUntilANewPageIsLoaded = result2.preventDefault;
-  if (!willRetry && !willHangUntilANewPageIsLoaded) {
-    const { status, errorBody } = props;
-    (hostConfigToUse.onAuthFailed || logToConsole)(normalizeInbandAuthError({ status, errorBody }));
+function clearStoredOauthTokens(hostConfig) {
+  const topic = getTopicFromOauthHostConfig(hostConfig);
+  delete cachedTokens[topic];
+  if (isBrowser()) {
+    deleteFromLocalStorage(topic, ["access-token", "refresh-token"]);
+    deleteFromSessionStorage(topic, ["access-token", "refresh-token"]);
   }
-  return result2;
 }
-async function getRestCallAuthParams(props) {
-  const hostConfigToUse = withResolvedHostConfig(props.hostConfig);
-  try {
-    const authModule = await getAuthModule(hostConfigToUse);
-    return await authModule.getRestCallAuthParams({
-      ...props,
-      hostConfig: hostConfigToUse
-    });
-  } catch (err) {
-    (hostConfigToUse.onAuthFailed || logToConsole)(normalizeAuthModuleError(err));
-    throw err;
+function clearStoredAnonymousTokens(hostConfig) {
+  const topic = getTopicFromAnonHostConfig(hostConfig);
+  delete cachedTokens[topic];
+  if (isBrowser()) {
+    deleteFromLocalStorage(topic, ["access-token", "refresh-token"]);
+    deleteFromSessionStorage(topic, ["access-token", "refresh-token"]);
   }
 }
-async function getAccessToken(props) {
-  const res = await getRestCallAuthParams({ method: "GET", ...props });
-  const authorizationHeader = res.headers?.Authorization;
-  if (authorizationHeader.indexOf("Bearer ") === 0) {
-    return authorizationHeader.substring(7);
+
+// src/auth/internal/default-auth-modules/oauth/oauth-utils.ts
+function toPerformInteractiveLoginFunction(performInteractiveLogin) {
+  if (typeof performInteractiveLogin === "string") {
+    const fn = lookupInteractiveLoginFn(performInteractiveLogin);
+    if (!fn) {
+      throw new Error(`No such function: ${performInteractiveLogin}`);
+    }
+    return fn;
   }
-  throw new Error("Unknown format of authorization header returned by remote auth module");
-}
-function registerAuthModule2(name, authModule) {
-  registerAuthModule(name, authModule);
-}
-function setDefaultHostConfig(hostConfig) {
-  setDefaultHostConfigInternal(hostConfig);
-}
-function registerHostConfig(name, hostConfig) {
-  registerHostConfigInternal(name, hostConfig);
+  return performInteractiveLogin;
 }
-function unregisterHostConfig(name) {
-  unregisterHostConfigInternal(name);
+function lookupGetAccessFn(getAccessToken) {
+  return globalThis[getAccessToken];
 }
-function serializeHostConfig(hostConfig) {
-  const hostConfigToUse = withResolvedHostConfig(hostConfig);
-  return JSON.stringify(hostConfigToUse, hostConfigPropertyIgnorer);
+function lookupInteractiveLoginFn(name) {
+  return globalThis[name];
 }
-async function determineAuthType(hostConfig) {
-  if (hostConfig.authType) {
-    return hostConfig.authType;
-  }
-  if (hostConfig.apiKey) {
-    return "apikey";
-  }
-  if (hostConfig.accessCode) {
-    return "anonymous";
-  }
-  if (hostConfig.clientId) {
-    return "oauth2";
-  }
-  if (hostConfig.webIntegrationId) {
-    return "cookie";
-  }
-  if (hostConfig.reference) {
-    return "reference";
-  }
-  if (await isWindows(hostConfig)) {
-    return "windowscookie";
+function handlePossibleErrors(data) {
+  if (data.errors) {
+    throw new AuthorizationError(data.errors);
   }
-  return "cookie";
 }
-function checkForCrossDomainRequest(hostConfig) {
-  const hostConfigToUse = withResolvedHostConfig(hostConfig);
-  if (isHostCrossOrigin(hostConfigToUse)) {
-    if (Object.keys(hostConfigToUse).length === 0) {
-      throw new InvalidHostConfigError("a host config must be provided when making a cross domain request");
-    }
-    if (!hostConfigToUse.host) {
-      throw new InvalidHostConfigError("A 'host' must be set in host config when making a cross domain request");
-    }
-  }
+function toQueryString(queryParams) {
+  const queryParamsKeys = Object.keys(queryParams);
+  queryParamsKeys.sort();
+  const query = queryParamsKeys.map((k) => `${k}=${queryParams[k]}`).join("&");
+  return query;
 }
-var logout = () => {
-  globalThis.loggingOut = true;
-  globalThis.location.href = "/logout";
-};
-var leadingHttp = /^http/;
-function normalizeInbandAuthError({ errorBody, status }) {
-  const authError = errorBody;
-  if (typeof authError?.errors === "object") {
-    const err = new AuthorizationError(authError?.errors);
-    return { message: err.message };
+function byteArrayToBase64(hashArray) {
+  let result2 = "";
+  if (isBrowser()) {
+    const byteArrayToString = String.fromCharCode.apply(null, hashArray);
+    result2 = btoa(byteArrayToString);
+  } else if (isNode()) {
+    result2 = Buffer.from(hashArray).toString("base64");
+  } else {
+    throw new Error("Environment not supported for oauth2 authentication");
   }
-  return { message: `HTTP ${status}` };
+  return result2;
 }
-function normalizeAuthModuleError(err) {
-  return { message: err.message || "Unknown error" };
+async function sha256(message) {
+  const msgBuffer = new TextEncoder().encode(message);
+  const hashBuffer = await globalThis.crypto.subtle.digest("SHA-256", msgBuffer);
+  const hashArray = Array.from(new Uint8Array(hashBuffer));
+  const hashBase64 = byteArrayToBase64(hashArray);
+  return hashBase64.replaceAll(/\+/g, "-").replaceAll(/\//g, "_").replace(/=+$/, "");
 }
-function hostConfigPropertyIgnorer(key, value) {
-  if (key === "") {
-    return value;
-  }
-  if (key === "authType") {
-    return void 0;
-  }
-  const vtype = typeof value;
-  if (vtype === "object" || vtype === "function") {
-    return void 0;
-  }
-  return value;
+async function createInteractiveLoginUrl(hostConfig, redirectUri, state, verifier) {
+  const clientId = hostConfig.clientId || "";
+  const locationUrl = toValidLocationUrl(hostConfig);
+  const codeChallenge = await sha256(verifier);
+  const queryParams = {
+    response_type: "code",
+    client_id: clientId,
+    redirect_uri: redirectUri,
+    scope: hostConfig.scope || "user_default",
+    state,
+    code_challenge: codeChallenge,
+    code_challenge_method: "S256"
+  };
+  return `${locationUrl}/oauth/authorize?${toQueryString(queryParams)}`;
 }
-
-// src/random/random.ts
-import { customAlphabet, nanoid } from "nanoid";
-function generateRandomString(targetLength) {
-  return nanoid(targetLength);
+async function startFullPageLoginFlow(hostConfig) {
+  const clientId = hostConfig.clientId || "";
+  const locationUrl = toValidLocationUrl(hostConfig);
+  const verifier = generateRandomString(128);
+  const state = generateRandomString(43);
+  const codeChallenge = await sha256(verifier);
+  const redirectUri = hostConfig.redirectUri || globalThis.location.href;
+  const topic = getTopicFromOauthHostConfig(hostConfig);
+  clearStoredOauthTokens(hostConfig);
+  saveInSessionStorage(topic, "state", state);
+  saveInSessionStorage(topic, "verifier", verifier);
+  saveInSessionStorage(topic, "href", globalThis.location.href);
+  saveInSessionStorage("", "client-in-progress", topic);
+  const queryParams = {
+    response_type: "code",
+    client_id: clientId,
+    redirect_uri: redirectUri,
+    scope: hostConfig.scope || "user_default",
+    state,
+    code_challenge: codeChallenge,
+    code_challenge_method: "S256"
+  };
+  const url = `${locationUrl}/oauth/authorize?${toQueryString(queryParams)}`;
+  globalThis.location.replace(url);
 }
-function generateRandomHexString(targetLength) {
-  return customAlphabet("1234567890abcdef", targetLength)();
-}
-
-// src/auth/internal/auth-functions.ts
-function getCredentialsForCookieAuth(hostConfig) {
-  if (hostConfig.crossSiteCookies === false) {
-    return "same-origin";
-  }
-  if (isHostCrossOrigin(hostConfig)) {
-    return "include";
+async function exchangeCodeAndVerifierForAccessTokenData(hostConfig, code, verifier, redirectUri) {
+  try {
+    const result2 = await fetch(`${toValidLocationUrl(hostConfig)}/oauth/token`, {
+      method: "POST",
+      credentials: "include",
+      mode: "cors",
+      headers: { "content-type": "application/json" },
+      redirect: "follow",
+      body: JSON.stringify({
+        grant_type: "authorization_code",
+        scope: hostConfig.scope || "user_default",
+        ...code ? { code } : {},
+        ...{ redirect_uri: redirectUri || globalThis.location.href },
+        ...verifier ? { code_verifier: verifier } : {},
+        client_id: hostConfig.clientId
+      })
+    });
+    const data = await result2.json();
+    handlePossibleErrors(data);
+    return {
+      accessToken: data.access_token,
+      refreshToken: data.refresh_token,
+      errors: data.errors
+    };
+  } catch (err) {
+    console.error(err);
+    return new Promise(() => {
+    });
   }
-  return "same-origin";
 }
-function internalValidateHostConfig(hostConfig, options) {
-  const missingRequiredProps = [];
-  for (const requiredProp of options.requiredProps) {
-    if (!hostConfig[requiredProp]) {
-      missingRequiredProps.push(requiredProp);
-    }
-  }
-  if (missingRequiredProps.length > 0) {
-    throw new InvalidHostConfigError(
-      `missing required properties in host config; '${missingRequiredProps.join("', '")}'`
-    );
+function createBodyWithCredentialsEtc(clientId, clientSecret, scope, subject, userId) {
+  const commonProps = {
+    client_id: clientId,
+    client_secret: clientSecret,
+    scope
+  };
+  if (subject) {
+    return {
+      ...commonProps,
+      grant_type: "urn:qlik:oauth:user-impersonation",
+      user_lookup: {
+        field: "subject",
+        value: subject
+      }
+    };
   }
-  const validProps = [
-    "authType",
-    "autoRedirect",
-    "authRedirectUserConfirmation",
-    "embedRuntimeUrl",
-    "host",
-    "onAuthFailed",
-    ...options.requiredProps,
-    ...options.optionalProps
-  ];
-  const invalidKeys = [];
-  Object.keys(hostConfig).forEach((key) => {
-    if (!validProps.some((k) => k === key)) {
-      invalidKeys.push(key);
-    }
-  });
-  if (invalidKeys.length > 0) {
-    throw new InvalidHostConfigError(`unknown properties in host config; '${invalidKeys.join("', '")}'`);
+  if (userId) {
+    return {
+      ...commonProps,
+      grant_type: "urn:qlik:oauth:user-impersonation",
+      user_lookup: {
+        field: "userId",
+        value: userId
+      }
+    };
   }
-  return true;
+  return {
+    ...commonProps,
+    grant_type: "client_credentials"
+  };
 }
-
-// src/utils/expose-internal-test-apis.ts
-var internalApisName = "__QLIK_INTERNAL__DO_NOT_USE_OR_YOU_WILL_BE_FIRED";
-function exposeInternalApiOnWindow(name, fn) {
-  if (globalThis.location?.origin.startsWith("https://localhost:") || globalThis.location?.origin?.endsWith("qlik-stage.com")) {
-    if (globalThis[internalApisName] === void 0) {
-      globalThis[internalApisName] = {};
-    }
-    globalThis[internalApisName][name] = fn;
-  }
+async function getOauthTokensWithCredentials(baseUrl, clientId, clientSecret, scope = "user_default", subject, userId) {
+  const result2 = await fetch(`${baseUrl}/oauth/token`, {
+    method: "POST",
+    mode: "cors",
+    headers: { "content-type": "application/json" },
+    body: JSON.stringify(createBodyWithCredentialsEtc(clientId, clientSecret, scope, subject, userId))
+  });
+  const data = await result2.json();
+  return {
+    accessToken: data.access_token,
+    refreshToken: data.refresh_token,
+    errors: data.errors
+  };
 }
-
-// src/auth/internal/default-auth-modules/oauth/storage-helpers.ts
-var storagePrefix = "qlik-qmfe-api";
-function getTopicFromOauthHostConfig(hostConfig) {
-  let topic = hostConfig.clientId + (hostConfig.scope ? `_${hostConfig.scope}` : "_user_default");
-  if (hostConfig.subject) {
-    topic += `_${hostConfig.subject}`;
-  }
-  if (hostConfig.userId) {
-    topic += `_${hostConfig.userId}`;
-  }
-  return topic;
+async function getOauthTokensWithRefreshToken(baseUrl, refreshToken, clientSecret) {
+  const result2 = await fetch(`${baseUrl}/oauth/token`, {
+    method: "POST",
+    mode: "cors",
+    headers: { "content-type": "application/json" },
+    body: JSON.stringify({
+      grant_type: "refresh_token",
+      refresh_token: refreshToken,
+      client_secret: clientSecret
+    })
+  });
+  const data = await result2.json();
+  return {
+    accessToken: data.access_token,
+    refreshToken: data.refresh_token,
+    errors: data.errors
+  };
 }
-function getTopicFromAnonHostConfig(hostConfig) {
-  return `${hostConfig.accessCode}_${hostConfig.clientId}`;
+async function getAnonymousOauthAccessToken(baseUrl, accessCode, clientId, trackingCode) {
+  const result2 = await fetch(`${baseUrl}/oauth/token/anonymous-embed`, {
+    method: "POST",
+    mode: "cors",
+    headers: { "content-type": "application/json" },
+    body: JSON.stringify({
+      eac: accessCode,
+      client_id: clientId,
+      grant_type: "urn:qlik:oauth:anonymous-embed",
+      tracking_code: trackingCode
+    })
+  });
+  const data = await result2.json();
+  return {
+    accessToken: data.access_token,
+    refreshToken: data.refresh_token,
+    errors: data.errors
+  };
 }
-var cachedTokens = {};
-function clearAllCachedTokens() {
-  for (const key in cachedTokens) {
-    delete cachedTokens[key];
+async function getOAuthTokensForNode(hostConfig) {
+  const { clientId, clientSecret } = hostConfig;
+  if (!clientId || !clientSecret) {
+    throw new InvalidHostConfigError(
+      'A host config with authType set to "oauth2" has to provide a clientId and a clientSecret'
+    );
   }
-}
-exposeInternalApiOnWindow("clearAllAccessTokens", () => {
-  console.log("Clearing tokens", cachedTokens);
-  Object.keys(cachedTokens).forEach((key) => {
-    console.log("Clearing access tokens for", key);
-    deleteFromLocalStorage(key, ["access-token", "refresh-token"]);
-    deleteFromSessionStorage(key, ["access-token", "refresh-token"]);
+  const oauthTokens = await loadOrAcquireAccessTokenOauth(hostConfig, async () => {
+    if (!hostConfig.clientId || !hostConfig.clientSecret) {
+      throw new InvalidHostConfigError(
+        'A host config with authType set to "oauth2" has to provide a clientId and a clientSecret'
+      );
+    }
+    return getOauthTokensWithCredentials(
+      toValidLocationUrl(hostConfig),
+      hostConfig.clientId,
+      hostConfig.clientSecret,
+      hostConfig.scope,
+      hostConfig.subject,
+      hostConfig.userId
+    );
   });
-  clearAllCachedTokens();
-});
-function saveInLocalStorage(topic, name, value) {
-  localStorage.setItem(`${storagePrefix}-${topic}-${name}`, value);
-}
-function saveInSessionStorage(topic, name, value) {
-  sessionStorage.setItem(`${storagePrefix}-${topic}-${name}`, value);
-}
-function loadFromLocalStorage(topic, name) {
-  return localStorage.getItem(`${storagePrefix}-${topic}-${name}`) || void 0;
-}
-function loadFromSessionStorage(topic, name) {
-  return sessionStorage.getItem(`${storagePrefix}-${topic}-${name}`) || void 0;
-}
-function deleteFromLocalStorage(topic, names) {
-  names.forEach((name) => localStorage.removeItem(`${storagePrefix}-${topic}-${name}`));
-}
-function deleteFromSessionStorage(topic, names) {
-  names.forEach((name) => sessionStorage.removeItem(`${storagePrefix}-${topic}-${name}`));
-}
-function loadAndDeleteFromSessionStorage(topic, name) {
-  const id = `${storagePrefix}-${topic}-${name}`;
-  const result2 = sessionStorage.getItem(id) || void 0;
-  sessionStorage.removeItem(id);
-  return result2;
+  return oauthTokens;
 }
-function loadOauthTokensFromStorage(topic, accessTokenStorage) {
-  let accessToken;
-  let refreshToken;
-  if (accessTokenStorage === "local") {
-    accessToken = loadFromLocalStorage(topic, "access-token");
-    refreshToken = loadFromLocalStorage(topic, "refresh-token");
-  } else if (accessTokenStorage === "session") {
-    accessToken = loadFromSessionStorage(topic, "access-token");
-    refreshToken = loadFromSessionStorage(topic, "refresh-token");
+async function getOAuthTokensForBrowser(hostConfig) {
+  const { clientId } = hostConfig;
+  if (!clientId) {
+    throw new InvalidHostConfigError('A host config with authType set to "oauth2" has to also provide a clientId');
   }
-  if (accessToken) {
-    return {
-      accessToken,
-      refreshToken
-    };
+  const oauthTokens = await loadOrAcquireAccessTokenOauth(hostConfig, async () => {
+    if (hostConfig.getAccessToken) {
+      try {
+        const tokenFetchedFromRemote = typeof hostConfig.getAccessToken === "string" ? await lookupGetAccessFn(hostConfig.getAccessToken)() : await hostConfig.getAccessToken();
+        return {
+          accessToken: tokenFetchedFromRemote,
+          refreshToken: void 0,
+          errors: void 0
+        };
+      } catch {
+        return errorMessageToAuthData("Could not fetch access token using custom function");
+      }
+    }
+    if (hostConfig.performInteractiveLogin) {
+      let usedRedirectUri;
+      try {
+        const verifier2 = generateRandomString(128);
+        const originalState = generateRandomString(43);
+        const { code: code2, state } = extractCodeAndState(
+          await toPerformInteractiveLoginFunction(hostConfig.performInteractiveLogin)({
+            getLoginUrl: async ({ redirectUri }) => {
+              usedRedirectUri = redirectUri;
+              return createInteractiveLoginUrl(hostConfig, redirectUri, originalState, verifier2);
+            }
+          })
+        );
+        if (!usedRedirectUri) {
+          return errorMessageToAuthData("No redirect uri provided");
+        }
+        if (originalState !== state) {
+          return errorMessageToAuthData("State returned by custom interactive login function does not match original");
+        }
+        if (!code2) {
+          return errorMessageToAuthData("No code found in response from custom interactive login function");
+        }
+        const tokenResponse = await exchangeCodeAndVerifierForAccessTokenData(
+          hostConfig,
+          code2,
+          verifier2,
+          usedRedirectUri
+        );
+        return tokenResponse;
+      } catch (error) {
+        return {
+          accessToken: void 0,
+          refreshToken: void 0,
+          errors: [
+            {
+              code: "",
+              status: 401,
+              title: "Could not perform custom interactive login",
+              detail: `${error}`
+            }
+          ]
+        };
+      }
+    }
+    const topic = getTopicFromOauthHostConfig(hostConfig);
+    const code = loadAndDeleteFromSessionStorage(topic, "code");
+    const verifier = loadAndDeleteFromSessionStorage(topic, "verifier");
+    if (code && verifier) {
+      const tokenResponse = await exchangeCodeAndVerifierForAccessTokenData(
+        hostConfig,
+        code,
+        verifier,
+        hostConfig.redirectUri
+      );
+      if (tokenResponse) {
+        return tokenResponse;
+      }
+    }
+    return void 0;
+  });
+  if (oauthTokens) {
+    return oauthTokens;
   }
-  return void 0;
-}
-async function loadCachedOauthTokens(hostConfig) {
-  return cachedTokens[getTopicFromOauthHostConfig(hostConfig)];
-}
-async function loadOrAcquireAccessTokenOauth(hostConfig, acquireTokens) {
-  if (!hostConfig.clientId) {
-    throw new InvalidHostConfigError('A host config with authType set to "oauth2" has to also provide a clientId');
+  if (hostConfig.performInteractiveLogin) {
+    return new Promise(() => {
+    });
   }
-  const topic = getTopicFromOauthHostConfig(hostConfig);
-  return loadOrAcquireAccessToken(topic, acquireTokens, hostConfig.noCache, hostConfig.accessTokenStorage);
-}
-async function loadOrAcquireAccessTokenAnon(hostConfig, acquireTokens) {
-  if (!hostConfig.accessCode) {
-    throw new InvalidHostConfigError(
-      'A host config with authType set to "anonymous" has to also provide an accessCode'
-    );
+  if (hostConfig.authRedirectUserConfirmation) {
+    await hostConfig.authRedirectUserConfirmation();
   }
-  const topic = getTopicFromAnonHostConfig(hostConfig);
-  return loadOrAcquireAccessToken(topic, acquireTokens, false, void 0);
+  startFullPageLoginFlow(hostConfig);
+  return new Promise(() => {
+  });
 }
-async function loadOrAcquireAccessToken(topic, acquireTokens, noCache, accessTokenStorage) {
-  if (noCache) {
-    return acquireTokens();
-  }
-  const mayUseStorage = isBrowser();
-  const storedOauthTokens = cachedTokens[topic] || (mayUseStorage ? loadOauthTokensFromStorage(topic, accessTokenStorage) : void 0);
-  if (storedOauthTokens) {
-    cachedTokens[topic] = storedOauthTokens;
-    return Promise.resolve(storedOauthTokens);
+var lastOauthTokensCall = Promise.resolve("");
+async function getOAuthAccessToken(hostConfig) {
+  if (isNode()) {
+    const tokens = await getOAuthTokensForNode(hostConfig);
+    if (tokens) {
+      handlePossibleErrors(tokens);
+      return tokens.accessToken || "";
+    }
+    return "";
   }
-  const tokensPromise = acquireTokens();
-  cachedTokens[topic] = tokensPromise;
-  if (mayUseStorage) {
-    const tokens = await tokensPromise;
-    if (accessTokenStorage === "local" && tokens) {
-      if (tokens.accessToken) {
-        saveInLocalStorage(topic, "access-token", tokens.accessToken);
-      }
-      if (tokens.refreshToken) {
-        saveInLocalStorage(topic, "refresh-token", tokens.refreshToken);
-      }
-    } else if (accessTokenStorage === "session" && tokens) {
-      if (tokens.accessToken) {
-        saveInSessionStorage(topic, "access-token", tokens.accessToken);
+  if (isBrowser()) {
+    lastOauthTokensCall = lastOauthTokensCall.then(async () => {
+      const tokens = await getOAuthTokensForBrowser(hostConfig);
+      if (tokens) {
+        handlePossibleErrors(tokens);
+        return tokens.accessToken || "";
       }
-      if (tokens.refreshToken) {
-        saveInSessionStorage(topic, "refresh-token", tokens.refreshToken);
+      return "";
+    });
+  }
+  return lastOauthTokensCall;
+}
+async function refreshAccessToken(hostConfig) {
+  const tokens = await loadCachedOauthTokens(hostConfig);
+  clearStoredOauthTokens(hostConfig);
+  if (tokens && tokens.refreshToken && hostConfig.clientSecret) {
+    const refreshedTokens = await loadOrAcquireAccessTokenOauth(hostConfig, async () => {
+      if (!tokens || !tokens.refreshToken || !hostConfig.clientSecret) {
+        throw new Error("Trying to refresh tokens without refreshToken or clientSecret");
       }
+      return getOauthTokensWithRefreshToken(
+        toValidLocationUrl(hostConfig),
+        tokens.refreshToken,
+        hostConfig.clientSecret
+      );
+    });
+    if (refreshedTokens) {
+      handlePossibleErrors(refreshedTokens);
     }
   }
-  return tokensPromise;
 }
-function clearStoredOauthTokens(hostConfig) {
-  const topic = getTopicFromOauthHostConfig(hostConfig);
-  delete cachedTokens[topic];
-  if (isBrowser()) {
-    deleteFromLocalStorage(topic, ["access-token", "refresh-token"]);
-    deleteFromSessionStorage(topic, ["access-token", "refresh-token"]);
+function extractCodeAndState(input) {
+  if (typeof input === "string") {
+    const queryParams = new URLSearchParams(new URL(input).search);
+    return {
+      code: queryParams.get("code") || "",
+      state: queryParams.get("state") || ""
+    };
   }
+  return input;
 }
-function clearStoredAnonymousTokens(hostConfig) {
-  const topic = getTopicFromAnonHostConfig(hostConfig);
-  delete cachedTokens[topic];
-  if (isBrowser()) {
-    deleteFromLocalStorage(topic, ["access-token", "refresh-token"]);
-    deleteFromSessionStorage(topic, ["access-token", "refresh-token"]);
-  }
+function errorMessageToAuthData(message) {
+  return {
+    accessToken: void 0,
+    refreshToken: void 0,
+    errors: [
+      {
+        code: "",
+        status: 401,
+        title: message,
+        detail: ""
+      }
+    ]
+  };
 }
 
-// src/auth/internal/default-auth-modules/oauth/oauth-utils.ts
-function toPerformInteractiveLoginFunction(performInteractiveLogin) {
-  if (typeof performInteractiveLogin === "string") {
-    const fn = lookupInteractiveLoginFn(performInteractiveLogin);
-    if (!fn) {
-      throw new Error(`No such function: ${performInteractiveLogin}`);
-    }
-    return fn;
+// src/auth/internal/default-auth-modules/oauth/temporary-token.ts
+async function exchangeAccessTokenForTemporaryToken(hostConfig, accessToken, purpose) {
+  const response = await fetch(`${toValidLocationUrl(hostConfig)}/oauth/token`, {
+    method: "POST",
+    credentials: "include",
+    mode: "cors",
+    headers: { "content-type": "application/json" },
+    redirect: "follow",
+    body: JSON.stringify({
+      subject_token: accessToken,
+      subject_token_type: "urn:ietf:params:oauth:token-type:access_token",
+      grant_type: "urn:ietf:params:oauth:grant-type:token-exchange",
+      purpose,
+      redirect_uri: globalThis.location?.href,
+      client_id: hostConfig.clientId
+    })
+  });
+  if (response.status !== 200) {
+    throw await toError(response);
   }
-  return performInteractiveLogin;
-}
-function lookupGetAccessFn(getAccessToken2) {
-  return globalThis[getAccessToken2];
-}
-function lookupInteractiveLoginFn(name) {
-  return globalThis[name];
+  const data = await response.json();
+  return data.access_token;
 }
-function handlePossibleErrors(data) {
-  if (data.errors) {
-    throw new AuthorizationError(data.errors);
+async function toError(response) {
+  const body = await response.text();
+  try {
+    const data = JSON.parse(body);
+    return new AuthorizationError(data.errors);
+  } catch {
+    return new AuthorizationError([
+      {
+        code: "unknown",
+        status: response.status,
+        detail: body,
+        title: "Unknown authentication error"
+      }
+    ]);
   }
 }
-function toQueryString(queryParams) {
-  const queryParamsKeys = Object.keys(queryParams);
-  queryParamsKeys.sort();
-  const query = queryParamsKeys.map((k) => `${k}=${queryParams[k]}`).join("&");
-  return query;
+
+// src/auth/internal/default-auth-modules/anonymous.ts
+async function handlePotentialAuthenticationErrorAndRetry(hostConfig, fn) {
+  try {
+    return await fn();
+  } catch (err) {
+    const { retry } = await handleAuthenticationError({
+      hostConfig,
+      canRetry: true
+    });
+    if (retry) {
+      return fn();
+    }
+    throw err;
+  }
 }
-function byteArrayToBase64(hashArray) {
-  let result2 = "";
+async function getOrCreateTrackingCode(hostConfig) {
+  let trackingCode;
   if (isBrowser()) {
-    const byteArrayToString = String.fromCharCode.apply(null, hashArray);
-    result2 = btoa(byteArrayToString);
-  } else if (isNode()) {
-    result2 = Buffer.from(hashArray).toString("base64");
+    const topic = getTopicFromAnonHostConfig(hostConfig);
+    trackingCode = loadFromLocalStorage(topic, "tracking-code");
+    if (!trackingCode) {
+      trackingCode = createTrackingCode();
+    }
+    saveInLocalStorage(topic, "tracking-code", trackingCode);
   } else {
-    throw new Error("Environment not supported for oauth2 authentication");
+    trackingCode = createTrackingCode();
   }
-  return result2;
-}
-async function sha256(message) {
-  const msgBuffer = new TextEncoder().encode(message);
-  const hashBuffer = await globalThis.crypto.subtle.digest("SHA-256", msgBuffer);
-  const hashArray = Array.from(new Uint8Array(hashBuffer));
-  const hashBase64 = byteArrayToBase64(hashArray);
-  return hashBase64.replaceAll(/\+/g, "-").replaceAll(/\//g, "_").replace(/=+$/, "");
-}
-async function createInteractiveLoginUrl(hostConfig, redirectUri, state, verifier) {
-  const clientId = hostConfig.clientId || "";
-  const locationUrl = toValidLocationUrl(hostConfig);
-  const codeChallenge = await sha256(verifier);
-  const queryParams = {
-    response_type: "code",
-    client_id: clientId,
-    redirect_uri: redirectUri,
-    scope: hostConfig.scope || "user_default",
-    state,
-    code_challenge: codeChallenge,
-    code_challenge_method: "S256"
-  };
-  return `${locationUrl}/oauth/authorize?${toQueryString(queryParams)}`;
+  return trackingCode;
 }
-async function startFullPageLoginFlow(hostConfig) {
-  const clientId = hostConfig.clientId || "";
-  const locationUrl = toValidLocationUrl(hostConfig);
-  const verifier = generateRandomString(128);
-  const state = generateRandomString(43);
-  const codeChallenge = await sha256(verifier);
-  const redirectUri = hostConfig.redirectUri || globalThis.location.href;
-  const topic = getTopicFromOauthHostConfig(hostConfig);
-  clearStoredOauthTokens(hostConfig);
-  saveInSessionStorage(topic, "state", state);
-  saveInSessionStorage(topic, "verifier", verifier);
-  saveInSessionStorage(topic, "href", globalThis.location.href);
-  saveInSessionStorage("", "client-in-progress", topic);
-  const queryParams = {
-    response_type: "code",
-    client_id: clientId,
-    redirect_uri: redirectUri,
-    scope: hostConfig.scope || "user_default",
-    state,
-    code_challenge: codeChallenge,
-    code_challenge_method: "S256"
-  };
-  const url = `${locationUrl}/oauth/authorize?${toQueryString(queryParams)}`;
-  globalThis.location.replace(url);
+function createTrackingCode() {
+  const timeStamp = Math.floor(Date.now() / 1e3).toString(16);
+  const randomString = generateRandomHexString(40 - timeStamp.length);
+  return `${timeStamp}${randomString}`;
 }
-async function exchangeCodeAndVerifierForAccessTokenData(hostConfig, code, verifier, redirectUri) {
-  try {
-    const result2 = await fetch(`${toValidLocationUrl(hostConfig)}/oauth/token`, {
-      method: "POST",
-      credentials: "include",
-      mode: "cors",
-      headers: { "content-type": "application/json" },
-      redirect: "follow",
-      body: JSON.stringify({
-        grant_type: "authorization_code",
-        scope: hostConfig.scope || "user_default",
-        ...code ? { code } : {},
-        ...{ redirect_uri: redirectUri || globalThis.location.href },
-        ...verifier ? { code_verifier: verifier } : {},
-        client_id: hostConfig.clientId
-      })
-    });
-    const data = await result2.json();
-    handlePossibleErrors(data);
-    return {
-      accessToken: data.access_token,
-      refreshToken: data.refresh_token,
-      errors: data.errors
-    };
-  } catch (err) {
-    console.error(err);
-    return new Promise(() => {
-    });
+async function getAnonymousAccessToken(hostConfig) {
+  const { accessCode, clientId } = hostConfig;
+  if (!accessCode || !clientId) {
+    throw new InvalidHostConfigError(
+      'A host config with authType set to "anonymous" has to provide both an accessCode and clientId'
+    );
   }
-}
-function createBodyWithCredentialsEtc(clientId, clientSecret, scope, subject, userId) {
-  const commonProps = {
-    client_id: clientId,
-    client_secret: clientSecret,
-    scope
-  };
-  if (subject) {
-    return {
-      ...commonProps,
-      grant_type: "urn:qlik:oauth:user-impersonation",
-      user_lookup: {
-        field: "subject",
-        value: subject
-      }
-    };
+  const tokens = await loadOrAcquireAccessTokenAnon(hostConfig, async () => {
+    const baseUrl = toValidLocationUrl(hostConfig);
+    const trackingCode = await getOrCreateTrackingCode(hostConfig);
+    return getAnonymousOauthAccessToken(baseUrl, accessCode, clientId, trackingCode);
+  });
+  if (!tokens) {
+    return "";
+  }
+  if (tokens.errors) {
+    throw new AuthorizationError(tokens.errors);
   }
-  if (userId) {
-    return {
-      ...commonProps,
-      grant_type: "urn:qlik:oauth:user-impersonation",
-      user_lookup: {
-        field: "userId",
-        value: userId
-      }
-    };
+  if (tokens.accessToken) {
+    return tokens.accessToken;
   }
+  return "";
+}
+async function getRestCallAuthParams({
+  hostConfig
+}) {
   return {
-    ...commonProps,
-    grant_type: "client_credentials"
+    headers: {
+      Authorization: `Bearer ${await getAnonymousAccessToken(hostConfig)}`
+    },
+    queryParams: {},
+    credentials: "omit"
   };
 }
-async function getOauthTokensWithCredentials(baseUrl, clientId, clientSecret, scope = "user_default", subject, userId) {
-  const result2 = await fetch(`${baseUrl}/oauth/token`, {
-    method: "POST",
-    mode: "cors",
-    headers: { "content-type": "application/json" },
-    body: JSON.stringify(createBodyWithCredentialsEtc(clientId, clientSecret, scope, subject, userId))
+async function getWebSocketAuthParams({
+  hostConfig
+}) {
+  const websocketAccessToken = await handlePotentialAuthenticationErrorAndRetry(hostConfig, async () => {
+    const accessToken = await getAnonymousAccessToken(hostConfig);
+    return exchangeAccessTokenForTemporaryToken(hostConfig, accessToken, "websocket");
   });
-  const data = await result2.json();
   return {
-    accessToken: data.access_token,
-    refreshToken: data.refresh_token,
-    errors: data.errors
+    queryParams: {
+      accessToken: websocketAccessToken
+    }
   };
 }
-async function getOauthTokensWithRefreshToken(baseUrl, refreshToken, clientSecret) {
-  const result2 = await fetch(`${baseUrl}/oauth/token`, {
-    method: "POST",
-    mode: "cors",
-    headers: { "content-type": "application/json" },
-    body: JSON.stringify({
-      grant_type: "refresh_token",
-      refresh_token: refreshToken,
-      client_secret: clientSecret
-    })
+async function getWebResourceAuthParams({
+  hostConfig
+}) {
+  const websocketResourceAccessToken = await handlePotentialAuthenticationErrorAndRetry(hostConfig, async () => {
+    const accessToken = await getAnonymousAccessToken(hostConfig);
+    return exchangeAccessTokenForTemporaryToken(hostConfig, accessToken, "websocket");
   });
-  const data = await result2.json();
   return {
-    accessToken: data.access_token,
-    refreshToken: data.refresh_token,
-    errors: data.errors
+    queryParams: {
+      accessToken: websocketResourceAccessToken
+    }
   };
 }
-async function getAnonymousOauthAccessToken(baseUrl, accessCode, clientId, trackingCode) {
-  const result2 = await fetch(`${baseUrl}/oauth/token/anonymous-embed`, {
-    method: "POST",
-    mode: "cors",
-    headers: { "content-type": "application/json" },
-    body: JSON.stringify({
-      eac: accessCode,
-      client_id: clientId,
-      grant_type: "urn:qlik:oauth:anonymous-embed",
-      tracking_code: trackingCode
-    })
-  });
-  const data = await result2.json();
+async function handleAuthenticationError({
+  hostConfig
+}) {
+  clearStoredAnonymousTokens(hostConfig);
   return {
-    accessToken: data.access_token,
-    refreshToken: data.refresh_token,
-    errors: data.errors
+    preventDefault: false,
+    retry: true
   };
 }
-async function getOAuthTokensForNode(hostConfig) {
-  const { clientId, clientSecret } = hostConfig;
-  if (!clientId || !clientSecret) {
-    throw new InvalidHostConfigError(
-      'A host config with authType set to "oauth2" has to provide a clientId and a clientSecret'
-    );
-  }
-  const oauthTokens = await loadOrAcquireAccessTokenOauth(hostConfig, async () => {
-    if (!hostConfig.clientId || !hostConfig.clientSecret) {
-      throw new InvalidHostConfigError(
-        'A host config with authType set to "oauth2" has to provide a clientId and a clientSecret'
-      );
-    }
-    return getOauthTokensWithCredentials(
-      toValidLocationUrl(hostConfig),
-      hostConfig.clientId,
-      hostConfig.clientSecret,
-      hostConfig.scope,
-      hostConfig.subject,
-      hostConfig.userId
-    );
+var anonymous_default = {
+  requiredProps: ["clientId", "accessCode"],
+  optionalProps: [],
+  getRestCallAuthParams,
+  getWebSocketAuthParams,
+  getWebResourceAuthParams,
+  handleAuthenticationError
+};
+
+// src/auth/internal/default-auth-modules/apikey.ts
+function getRestCallAuthParams2({ hostConfig }) {
+  return Promise.resolve({
+    headers: {
+      Authorization: `Bearer ${hostConfig?.apiKey}`
+    },
+    queryParams: {},
+    credentials: "omit"
   });
-  return oauthTokens;
 }
-async function getOAuthTokensForBrowser(hostConfig) {
-  const { clientId } = hostConfig;
-  if (!clientId) {
-    throw new InvalidHostConfigError('A host config with authType set to "oauth2" has to also provide a clientId');
-  }
-  const oauthTokens = await loadOrAcquireAccessTokenOauth(hostConfig, async () => {
-    if (hostConfig.getAccessToken) {
-      try {
-        const tokenFetchedFromRemote = typeof hostConfig.getAccessToken === "string" ? await lookupGetAccessFn(hostConfig.getAccessToken)() : await hostConfig.getAccessToken();
-        return {
-          accessToken: tokenFetchedFromRemote,
-          refreshToken: void 0,
-          errors: void 0
-        };
-      } catch {
-        return errorMessageToAuthData("Could not fetch access token using custom function");
-      }
+async function getWebSocketAuthParams2() {
+  return {
+    queryParams: {
+      // accessToken: hostConfig.apiKey,
     }
-    if (hostConfig.performInteractiveLogin) {
-      let usedRedirectUri;
-      try {
-        const verifier2 = generateRandomString(128);
-        const originalState = generateRandomString(43);
-        const { code: code2, state } = extractCodeAndState(
-          await toPerformInteractiveLoginFunction(hostConfig.performInteractiveLogin)({
-            getLoginUrl: async ({ redirectUri }) => {
-              usedRedirectUri = redirectUri;
-              return createInteractiveLoginUrl(hostConfig, redirectUri, originalState, verifier2);
-            }
-          })
-        );
-        if (!usedRedirectUri) {
-          return errorMessageToAuthData("No redirect uri provided");
-        }
-        if (originalState !== state) {
-          return errorMessageToAuthData("State returned by custom interactive login function does not match original");
-        }
-        if (!code2) {
-          return errorMessageToAuthData("No code found in response from custom interactive login function");
-        }
-        const tokenResponse = await exchangeCodeAndVerifierForAccessTokenData(
+  };
+}
+function handleAuthenticationError2() {
+  return Promise.resolve({});
+}
+var apikey_default = {
+  requiredProps: ["apiKey"],
+  optionalProps: [],
+  getRestCallAuthParams: getRestCallAuthParams2,
+  getWebSocketAuthParams: getWebSocketAuthParams2,
+  handleAuthenticationError: handleAuthenticationError2
+};
+
+// src/http/http-constants.ts
+var QLIK_CSRF_TOKEN = "qlik-csrf-token";
+
+// src/http/http-functions.ts
+function clearCsrfToken(hostConfig) {
+  const locationUrl = toValidLocationUrl(hostConfig);
+  delete csrfTokens[locationUrl];
+}
+async function getCsrfToken(hostConfig, noCache) {
+  const locationUrl = toValidLocationUrl(hostConfig);
+  let pathTemplate;
+  if (await isWindows(hostConfig)) {
+    pathTemplate = "/qps/csrftoken";
+  } else {
+    pathTemplate = "/api/v1/csrf-token";
+  }
+  const fetchCsrfToken = async () => {
+    try {
+      const res = await invokeFetch("csrf-token", {
+        method: "get",
+        pathTemplate,
+        options: {
           hostConfig,
-          code2,
-          verifier2,
-          usedRedirectUri
-        );
-        return tokenResponse;
-      } catch (error) {
-        return {
-          accessToken: void 0,
-          refreshToken: void 0,
-          errors: [
-            {
-              code: "",
-              status: 401,
-              title: "Could not perform custom interactive login",
-              detail: `${error}`
-            }
-          ]
-        };
+          noCache: true
+        }
+      });
+      const csrfToken = res.headers.get(QLIK_CSRF_TOKEN);
+      if (!csrfToken) {
+        return "";
       }
-    }
-    const topic = getTopicFromOauthHostConfig(hostConfig);
-    const code = loadAndDeleteFromSessionStorage(topic, "code");
-    const verifier = loadAndDeleteFromSessionStorage(topic, "verifier");
-    if (code && verifier) {
-      const tokenResponse = await exchangeCodeAndVerifierForAccessTokenData(
-        hostConfig,
-        code,
-        verifier,
-        hostConfig.redirectUri
-      );
-      if (tokenResponse) {
-        return tokenResponse;
+      return csrfToken;
+    } catch (e) {
+      const error = e;
+      if (error.status === 404) {
+        return "";
       }
+      throw e;
     }
-    return void 0;
-  });
-  if (oauthTokens) {
-    return oauthTokens;
+  };
+  if (noCache) {
+    csrfTokens[locationUrl] = fetchCsrfToken();
+    return csrfTokens[locationUrl];
   }
-  if (hostConfig.performInteractiveLogin) {
-    return new Promise(() => {
-    });
+  csrfTokens[locationUrl] = csrfTokens[locationUrl] || fetchCsrfToken();
+  return csrfTokens[locationUrl];
+}
+var csrfTokens = {};
+
+// src/auth/internal/internal-auth-functions.ts
+function internalGetCredentialsForCookieAuth(hostConfig) {
+  if (hostConfig.crossSiteCookies === false) {
+    return "same-origin";
   }
-  if (hostConfig.authRedirectUserConfirmation) {
-    await hostConfig.authRedirectUserConfirmation();
+  if (isHostCrossOrigin(hostConfig)) {
+    return "include";
   }
-  startFullPageLoginFlow(hostConfig);
-  return new Promise(() => {
-  });
+  return "same-origin";
 }
-var lastOauthTokensCall = Promise.resolve("");
-async function getOAuthAccessToken(hostConfig) {
-  if (isNode()) {
-    const tokens = await getOAuthTokensForNode(hostConfig);
-    if (tokens) {
-      handlePossibleErrors(tokens);
-      return tokens.accessToken || "";
-    }
-    return "";
+
+// src/auth/internal/default-auth-modules/cookie.ts
+function isModifyingVerb(verb) {
+  return !(verb === "get" || verb === "GET");
+}
+async function getRestCallAuthParams3({
+  hostConfig,
+  method
+}) {
+  const headers = {};
+  if (isModifyingVerb(method)) {
+    headers["qlik-csrf-token"] = await getCsrfToken(hostConfig);
   }
-  if (isBrowser()) {
-    lastOauthTokensCall = lastOauthTokensCall.then(async () => {
-      const tokens = await getOAuthTokensForBrowser(hostConfig);
-      if (tokens) {
-        handlePossibleErrors(tokens);
-        return tokens.accessToken || "";
-      }
-      return "";
-    });
+  if (hostConfig.webIntegrationId) {
+    headers["qlik-web-integration-id"] = hostConfig.webIntegrationId;
   }
-  return lastOauthTokensCall;
+  return { headers, queryParams: {}, credentials: internalGetCredentialsForCookieAuth(hostConfig) };
 }
-async function refreshAccessToken(hostConfig) {
-  const tokens = await loadCachedOauthTokens(hostConfig);
-  clearStoredOauthTokens(hostConfig);
-  if (tokens && tokens.refreshToken && hostConfig.clientSecret) {
-    const refreshedTokens = await loadOrAcquireAccessTokenOauth(hostConfig, async () => {
-      if (!tokens || !tokens.refreshToken || !hostConfig.clientSecret) {
-        throw new Error("Trying to refresh tokens without refreshToken or clientSecret");
-      }
-      return getOauthTokensWithRefreshToken(
-        toValidLocationUrl(hostConfig),
-        tokens.refreshToken,
-        hostConfig.clientSecret
-      );
-    });
-    if (refreshedTokens) {
-      handlePossibleErrors(refreshedTokens);
-    }
+async function getWebSocketAuthParams3({
+  hostConfig
+}) {
+  const params = {
+    // Bypass the cache to get one rest call out the door that can catch a 401 since the websocket only returns a general error
+    "qlik-csrf-token": await getCsrfToken(hostConfig, true)
+  };
+  if (hostConfig.webIntegrationId) {
+    params["qlik-web-integration-id"] = hostConfig.webIntegrationId;
   }
+  return { queryParams: params };
 }
-function extractCodeAndState(input) {
-  if (typeof input === "string") {
-    const queryParams = new URLSearchParams(new URL(input).search);
+async function handleAuthenticationError3({
+  hostConfig,
+  status
+}) {
+  clearCsrfToken(hostConfig);
+  if (status === 403) {
     return {
-      code: queryParams.get("code") || "",
-      state: queryParams.get("state") || ""
+      preventDefault: false,
+      retry: true
     };
   }
-  return input;
-}
-function errorMessageToAuthData(message) {
+  const webIntegrationParam = hostConfig.webIntegrationId ? `qlik-web-integration-id=${hostConfig?.webIntegrationId}&` : "";
+  const locationUrl = toValidLocationUrl(hostConfig);
+  if (hostConfig.authRedirectUserConfirmation) {
+    await hostConfig.authRedirectUserConfirmation();
+  }
+  globalThis.location.replace(
+    `${locationUrl}/login?${webIntegrationParam}returnto=${encodeURIComponent(globalThis.location.href)}`
+  );
   return {
-    accessToken: void 0,
-    refreshToken: void 0,
-    errors: [
-      {
-        code: "",
-        status: 401,
-        title: message,
-        detail: ""
-      }
-    ]
+    preventDefault: true
   };
 }
+var cookie_default = {
+  requiredProps: [],
+  optionalProps: ["webIntegrationId", "crossSiteCookies", "anonymousMode"],
+  getRestCallAuthParams: getRestCallAuthParams3,
+  getWebSocketAuthParams: getWebSocketAuthParams3,
+  handleAuthenticationError: handleAuthenticationError3
+};
 
-// src/auth/internal/default-auth-modules/oauth/temporary-token.ts
-async function exchangeAccessTokenForTemporaryToken(hostConfig, accessToken, purpose) {
-  const response = await fetch(`${toValidLocationUrl(hostConfig)}/oauth/token`, {
-    method: "POST",
-    credentials: "include",
-    mode: "cors",
-    headers: { "content-type": "application/json" },
-    redirect: "follow",
-    body: JSON.stringify({
-      subject_token: accessToken,
-      subject_token_type: "urn:ietf:params:oauth:token-type:access_token",
-      grant_type: "urn:ietf:params:oauth:grant-type:token-exchange",
-      purpose,
-      redirect_uri: globalThis.location?.href,
-      client_id: hostConfig.clientId
-    })
-  });
-  if (response.status !== 200) {
-    throw await toError(response);
-  }
-  const data = await response.json();
-  return data.access_token;
+// src/auth/internal/default-auth-modules/none.ts
+function getRestCallAuthParams4() {
+  return Promise.resolve({ headers: {}, queryParams: {}, credentials: "same-origin" });
 }
-async function toError(response) {
-  const body = await response.text();
-  try {
-    const data = JSON.parse(body);
-    return new AuthorizationError(data.errors);
-  } catch {
-    return new AuthorizationError([
-      {
-        code: "unknown",
-        status: response.status,
-        detail: body,
-        title: "Unknown authentication error"
+function getWebSocketAuthParams4() {
+  return Promise.resolve({ queryParams: {} });
+}
+function handleAuthenticationError4() {
+  return Promise.resolve({});
+}
+var none_default = {
+  requiredProps: [],
+  optionalProps: [],
+  getRestCallAuthParams: getRestCallAuthParams4,
+  getWebSocketAuthParams: getWebSocketAuthParams4,
+  handleAuthenticationError: handleAuthenticationError4
+};
+
+// src/auth/internal/default-auth-modules/oauth/callback.ts
+function handleOAuthCallback() {
+  const urlParams = new URLSearchParams(globalThis.location.search);
+  const callbackCode = urlParams.get("code") || void 0;
+  const callbackState = urlParams.get("state") || void 0;
+  if (urlParams.get("error")) {
+    const element = document.createElement("pre");
+    element.innerText = `<code>${JSON.stringify({
+      error: urlParams.get("error"),
+      error_code: urlParams.get("error_code"),
+      error_description: urlParams.get("error_description"),
+      error_detail: urlParams.get("error_detail"),
+      error_uri: urlParams.get("error_uri")
+    })}</code>`;
+    document.body.prepend(element);
+  }
+  const topic = loadAndDeleteFromSessionStorage("", "client-in-progress");
+  if (topic && callbackCode && callbackState) {
+    const stateFromLocalStorage = loadAndDeleteFromSessionStorage(topic, "state");
+    const finalRedirectUri = loadAndDeleteFromSessionStorage(topic, "href");
+    if (stateFromLocalStorage && stateFromLocalStorage === callbackState && finalRedirectUri) {
+      saveInSessionStorage(topic, "code", callbackCode);
+      if (finalRedirectUri !== globalThis.location.href) {
+        globalThis.location.replace(finalRedirectUri);
       }
-    ]);
+    }
   }
 }
 
-// src/auth/internal/default-auth-modules/anonymous.ts
-async function handlePotentialAuthenticationErrorAndRetry(hostConfig, fn) {
+// src/auth/internal/default-auth-modules/oauth.ts
+if (isBrowser()) {
+  handleOAuthCallback();
+}
+async function handlePotentialAuthenticationErrorAndRetry2(hostConfig, fn) {
   try {
     return await fn();
   } catch (err) {
-    const { retry } = await handleAuthenticationError2({
+    const { retry } = await handleAuthenticationError5({
       hostConfig,
       canRetry: true
     });
@@ -1097,518 +1080,586 @@ async function handlePotentialAuthenticationErrorAndRetry(hostConfig, fn) {
     throw err;
   }
 }
-async function getOrCreateTrackingCode(hostConfig) {
-  let trackingCode;
+async function getRestCallAuthParams5({
+  hostConfig
+}) {
+  return {
+    headers: {
+      Authorization: `Bearer ${await getOAuthAccessToken(hostConfig)}`
+    },
+    queryParams: {},
+    credentials: "omit"
+  };
+}
+async function getWebSocketAuthParams5({
+  hostConfig
+}) {
+  const websocketAccessToken = await handlePotentialAuthenticationErrorAndRetry2(hostConfig, async () => {
+    const accessToken = await getOAuthAccessToken(hostConfig);
+    return exchangeAccessTokenForTemporaryToken(hostConfig, accessToken, "websocket");
+  });
+  return {
+    queryParams: {
+      accessToken: websocketAccessToken
+    }
+  };
+}
+async function getWebResourceAuthParams2({
+  hostConfig
+}) {
+  const webResourceAccessToken = await handlePotentialAuthenticationErrorAndRetry2(hostConfig, async () => {
+    const accessToken = await getOAuthAccessToken(hostConfig);
+    return exchangeAccessTokenForTemporaryToken(hostConfig, accessToken, "webresource");
+  });
+  return {
+    queryParams: {
+      accessToken: webResourceAccessToken
+    }
+  };
+}
+async function handleAuthenticationError5({
+  hostConfig
+}) {
+  if (hostConfig.getAccessToken) {
+    clearStoredOauthTokens(hostConfig);
+    return {
+      preventDefault: false,
+      retry: true
+    };
+  }
   if (isBrowser()) {
-    const topic = getTopicFromAnonHostConfig(hostConfig);
-    trackingCode = loadFromLocalStorage(topic, "tracking-code");
-    if (!trackingCode) {
-      trackingCode = createTrackingCode();
+    if (hostConfig.performInteractiveLogin) {
+      clearStoredOauthTokens(hostConfig);
+      return {
+        retry: true
+      };
     }
-    saveInLocalStorage(topic, "tracking-code", trackingCode);
-  } else {
-    trackingCode = createTrackingCode();
+    if (hostConfig.authRedirectUserConfirmation) {
+      await hostConfig.authRedirectUserConfirmation();
+    }
+    startFullPageLoginFlow(hostConfig);
+    return {
+      preventDefault: true
+    };
   }
-  return trackingCode;
+  await refreshAccessToken(hostConfig);
+  return {
+    preventDefault: false,
+    retry: true
+  };
+}
+var oauth_default = {
+  requiredProps: ["clientId"],
+  optionalProps: [
+    "clientSecret",
+    "redirectUri",
+    "accessTokenStorage",
+    "scope",
+    "subject",
+    "userId",
+    "noCache",
+    "getAccessToken",
+    "performInteractiveLogin"
+  ],
+  getRestCallAuthParams: getRestCallAuthParams5,
+  getWebSocketAuthParams: getWebSocketAuthParams5,
+  getWebResourceAuthParams: getWebResourceAuthParams2,
+  handleAuthenticationError: handleAuthenticationError5
+};
+
+// src/auth/internal/default-auth-modules/reference.ts
+function getRestCallAuthParams6() {
+  throw new Error("getRestCallAuthParams should never be called for reference auth module");
 }
-function createTrackingCode() {
-  const timeStamp = Math.floor(Date.now() / 1e3).toString(16);
-  const randomString = generateRandomHexString(40 - timeStamp.length);
-  return `${timeStamp}${randomString}`;
+function getWebSocketAuthParams6() {
+  throw new Error("getWebSocketAuthParams should never be called for reference auth module");
 }
-async function getAnonymousAccessToken(hostConfig) {
-  const { accessCode, clientId } = hostConfig;
-  if (!accessCode || !clientId) {
-    throw new InvalidHostConfigError(
-      'A host config with authType set to "anonymous" has to provide both an accessCode and clientId'
-    );
-  }
-  const tokens = await loadOrAcquireAccessTokenAnon(hostConfig, async () => {
-    const baseUrl = toValidLocationUrl(hostConfig);
-    const trackingCode = await getOrCreateTrackingCode(hostConfig);
-    return getAnonymousOauthAccessToken(baseUrl, accessCode, clientId, trackingCode);
-  });
-  if (!tokens) {
-    return "";
-  }
-  if (tokens.errors) {
-    throw new AuthorizationError(tokens.errors);
-  }
-  if (tokens.accessToken) {
-    return tokens.accessToken;
+function handleAuthenticationError6() {
+  throw new Error("handleAuthenticationError should never be called for reference auth module");
+}
+var reference_default = {
+  requiredProps: ["reference"],
+  optionalProps: [],
+  getRestCallAuthParams: getRestCallAuthParams6,
+  getWebSocketAuthParams: getWebSocketAuthParams6,
+  handleAuthenticationError: handleAuthenticationError6
+};
+
+// src/auth/internal/default-auth-modules/windows-cookie/xrf-keys.ts
+var xrfKeys = {};
+function createXrfKey() {
+  let result2 = "";
+  for (let i = 0; i < 16; i += 1) {
+    const j = Math.floor(Math.random() * 62);
+    if (j < 10) {
+      result2 += j;
+    } else if (j > 9 && j < 36) {
+      result2 += String.fromCharCode(j + 55);
+    } else {
+      result2 += String.fromCharCode(j + 61);
+    }
   }
-  return "";
+  return result2;
+}
+function getXrfKey(hostConfig) {
+  const locationUrl = toValidLocationUrl(hostConfig);
+  xrfKeys[locationUrl] = xrfKeys[locationUrl] || createXrfKey();
+  return xrfKeys[locationUrl];
 }
-async function getRestCallAuthParams2({
+
+// src/auth/internal/default-auth-modules/windows-cookie.ts
+async function getRestCallAuthParams7({
   hostConfig
 }) {
   return {
     headers: {
-      Authorization: `Bearer ${await getAnonymousAccessToken(hostConfig)}`
+      "X-Qlik-XrfKey": getXrfKey(hostConfig)
     },
-    queryParams: {},
-    credentials: "omit"
-  };
-}
-async function getWebSocketAuthParams2({
-  hostConfig
-}) {
-  const websocketAccessToken = await handlePotentialAuthenticationErrorAndRetry(hostConfig, async () => {
-    const accessToken = await getAnonymousAccessToken(hostConfig);
-    return exchangeAccessTokenForTemporaryToken(hostConfig, accessToken, "websocket");
-  });
-  return {
     queryParams: {
-      accessToken: websocketAccessToken
-    }
+      xrfkey: getXrfKey(hostConfig)
+    },
+    credentials: internalGetCredentialsForCookieAuth(hostConfig)
   };
 }
-async function getWebResourceAuthParams2({
+async function getWebSocketAuthParams7({
   hostConfig
 }) {
-  const websocketResourceAccessToken = await handlePotentialAuthenticationErrorAndRetry(hostConfig, async () => {
-    const accessToken = await getAnonymousAccessToken(hostConfig);
-    return exchangeAccessTokenForTemporaryToken(hostConfig, accessToken, "websocket");
-  });
   return {
     queryParams: {
-      accessToken: websocketResourceAccessToken
+      xrfkey: getXrfKey(hostConfig),
+      "qlik-csrf-token": await getCsrfToken(hostConfig, true)
     }
   };
 }
-async function handleAuthenticationError2({
+async function handleAuthenticationError7({
   hostConfig
 }) {
-  clearStoredAnonymousTokens(hostConfig);
+  if (hostConfig.loginUri) {
+    if (hostConfig.authRedirectUserConfirmation) {
+      await hostConfig.authRedirectUserConfirmation();
+    }
+    globalThis.location.replace(
+      hostConfig.loginUri.replace("{location}", encodeURIComponent(globalThis.location.href))
+    );
+    return {
+      preventDefault: true
+    };
+  }
   return {
-    preventDefault: false,
-    retry: true
+    // Do nothing, just let the error be thrown to calling code
   };
 }
-var anonymous_default = {
-  getRestCallAuthParams: getRestCallAuthParams2,
-  getWebSocketAuthParams: getWebSocketAuthParams2,
-  getWebResourceAuthParams: getWebResourceAuthParams2,
-  handleAuthenticationError: handleAuthenticationError2,
-  validateHostConfig: (hostConfig) => internalValidateHostConfig(hostConfig, {
-    requiredProps: ["clientId", "accessCode"],
-    optionalProps: []
-  })
+var windows_cookie_default = {
+  requiredProps: [],
+  optionalProps: ["loginUri", "crossSiteCookies"],
+  getRestCallAuthParams: getRestCallAuthParams7,
+  getWebSocketAuthParams: getWebSocketAuthParams7,
+  handleAuthenticationError: handleAuthenticationError7
 };
 
-// src/auth/internal/default-auth-modules/apikey.ts
-function getRestCallAuthParams3({ hostConfig }) {
-  return Promise.resolve({
-    headers: {
-      Authorization: `Bearer ${hostConfig?.apiKey}`
-    },
-    queryParams: {},
-    credentials: "omit"
+// src/auth/internal/auth-module-registry.ts
+var authModules = {};
+var ongoingAuthModuleLoading = Promise.resolve();
+var authModulesRegistered = false;
+(function registerDefaultAuthModules() {
+  if (!authModulesRegistered) {
+    registerAuthModule("apikey", apikey_default);
+    registerAuthModule("cookie", cookie_default);
+    registerAuthModule("none", none_default);
+    registerAuthModule("oauth2", oauth_default);
+    registerAuthModule("anonymous", anonymous_default);
+    registerAuthModule("windowscookie", windows_cookie_default);
+    registerAuthModule("reference", reference_default);
+    authModulesRegistered = true;
+  }
+})();
+function registerAuthModule(name, authModule) {
+  authModules[name.toLowerCase()] = authModule;
+}
+function getRegisteredAuthModules() {
+  return Object.keys(authModules);
+}
+function getRegisteredAuthModule(authType) {
+  return authModules[authType.toLowerCase()];
+}
+async function getAuthModule(hostConfig) {
+  const hostConfigToUse = withResolvedHostConfig(hostConfig);
+  const authType = await determineAuthType(hostConfigToUse);
+  if (ongoingAuthModuleLoading) {
+    await ongoingAuthModuleLoading;
+  }
+  let authModule = getRegisteredAuthModule(authType);
+  if (!authModule) {
+    ongoingAuthModuleLoading = (async () => {
+      authModule = await resolveGloballyDefinedAuthModule(authType);
+      if (authModule) {
+        registerAuthModule(authType, authModule);
+      }
+    })();
+    await ongoingAuthModuleLoading;
+  }
+  if (!authModule) {
+    throw new InvalidAuthTypeError(authType);
+  }
+  if (authModule.validateHostConfig) {
+    authModule.validateHostConfig({ authType, ...hostConfigToUse });
+  } else {
+    internalValidateHostConfig(
+      { authType, ...hostConfigToUse },
+      { requiredProps: authModule.requiredProps || [], optionalProps: authModule.optionalProps || [] }
+    );
+  }
+  return authModule;
+}
+async function resolveGloballyDefinedAuthModule(authType) {
+  const globalWindow = globalThis;
+  const globalVariable = globalWindow[authType];
+  if (globalVariable) {
+    let potentialAuthModule;
+    if (typeof globalVariable === "function") {
+      potentialAuthModule = await globalVariable();
+    } else {
+      potentialAuthModule = globalVariable;
+    }
+    if (potentialAuthModule && potentialAuthModule.getRestCallAuthParams && potentialAuthModule.getWebSocketAuthParams && potentialAuthModule.handleAuthenticationError) {
+      return potentialAuthModule;
+    }
+    console.error("Not a valid auth module", potentialAuthModule);
+    throw new InvalidAuthTypeError(authType);
+  }
+  return Promise.resolve(void 0);
+}
+function internalValidateHostConfig(hostConfig, { requiredProps, optionalProps }) {
+  const missingRequiredProps = [];
+  for (const requiredProp of requiredProps) {
+    if (!hostConfig[requiredProp]) {
+      missingRequiredProps.push(requiredProp);
+    }
+  }
+  if (missingRequiredProps.length > 0) {
+    throw new InvalidHostConfigError(
+      `missing required properties in host config; '${missingRequiredProps.join("', '")}'`
+    );
+  }
+  const validProps = [...hostConfigCommonProperties, ...requiredProps, ...optionalProps];
+  const invalidKeys = [];
+  Object.keys(hostConfig).forEach((key) => {
+    if (!validProps.includes(key)) {
+      invalidKeys.push(key);
+    }
   });
+  if (invalidKeys.length > 0) {
+    console.warn(`WARNING: unknown properties in host config; '${invalidKeys.join("', '")}'`);
+  }
+  return true;
 }
-async function getWebSocketAuthParams3() {
-  return {
-    queryParams: {
-      // accessToken: hostConfig.apiKey,
+async function determineAuthType(hostConfig) {
+  if (hostConfig.authType) {
+    return hostConfig.authType;
+  }
+  if (hostConfig.apiKey) {
+    return "apikey";
+  }
+  if (hostConfig.accessCode) {
+    return "anonymous";
+  }
+  if (hostConfig.clientId) {
+    return "oauth2";
+  }
+  if (hostConfig.webIntegrationId) {
+    return "cookie";
+  }
+  if (hostConfig.reference) {
+    return "reference";
+  }
+  if (await isWindows(hostConfig)) {
+    return "windowscookie";
+  }
+  return "cookie";
+}
+
+// src/auth/auth-errors.ts
+var InvalidHostConfigError = class extends Error {
+  constructor(message) {
+    super(`Invalid host config: ${message}`);
+    this.name = "InvalidHostConfigError";
+  }
+};
+var UnexpectedAuthTypeError = class extends Error {
+  constructor(...expectedAuthTypes) {
+    const ors = expectedAuthTypes.map((item, index) => index === 0 ? `"${item}"` : `or "${item}"`).join(" ");
+    super(`HostConfig is not properly configured. authType is expected to be ${ors}`);
+    this.name = "UnexpectedAuthTypeError";
+  }
+};
+var InvalidAuthTypeError = class extends Error {
+  constructor(authType) {
+    const validAuthModules = getRegisteredAuthModules();
+    super(
+      `Not a valid auth type: ${authType}, valid auth types are; '${validAuthModules.filter((name) => name.toLowerCase() !== "qmfeembedframerauthmodule").join("', '")}'`
+    );
+    this.name = "InvalidAuthTypeError";
+  }
+};
+function errorToString({ title, detail, code, status }) {
+  if (detail) {
+    return `${title} - ${detail} (Status: ${status}, Code: ${code})`;
+  }
+  return `${title} (Status: ${status}, Code: ${code})`;
+}
+var AuthorizationError = class extends Error {
+  errors;
+  constructor(errors) {
+    if (typeof errors !== "object") {
+      super("Unknown error");
+      return;
     }
-  };
-}
-function handleAuthenticationError3() {
-  return Promise.resolve({});
-}
-var apikey_default = {
-  getRestCallAuthParams: getRestCallAuthParams3,
-  getWebSocketAuthParams: getWebSocketAuthParams3,
-  handleAuthenticationError: handleAuthenticationError3,
-  validateHostConfig: (hostConfig) => internalValidateHostConfig(hostConfig, { requiredProps: ["apiKey"], optionalProps: [] })
+    const errorArray = Array.isArray(errors) ? errors : [errors];
+    super(errorArray.map(errorToString).join(", "));
+    this.errors = errorArray;
+  }
 };
 
-// src/http/http-functions.ts
-var QLIK_CSRF_TOKEN = "qlik-csrf-token";
-function clearCsrfToken(hostConfig) {
-  const locationUrl = toValidLocationUrl(hostConfig);
-  delete csrfTokens[locationUrl];
-}
-async function getCsrfToken(hostConfig, noCache) {
-  const locationUrl = toValidLocationUrl(hostConfig);
-  let pathTemplate;
-  if (await isWindows(hostConfig)) {
-    pathTemplate = "/qps/csrftoken";
-  } else {
-    pathTemplate = "/api/v1/csrf-token";
+// src/auth/internal/host-config-functions.ts
+function removeDefaults(hostConfig) {
+  const cleanedHostConfig = cleanFalsyValues(hostConfig) || {};
+  if (cleanedHostConfig.host) {
+    cleanedHostConfig.host = toValidLocationUrl(cleanedHostConfig);
   }
-  const fetchCsrfToken = async () => {
-    try {
-      const res = await invokeFetch("csrf-token", {
-        method: "get",
-        pathTemplate,
-        options: {
-          hostConfig,
-          noCache: true
-        }
-      });
-      const csrfToken = res.headers.get(QLIK_CSRF_TOKEN);
-      if (!csrfToken) {
-        return "";
-      }
-      return csrfToken;
-    } catch (e) {
-      const error = e;
-      if (error.status === 404) {
-        return "";
-      }
-      throw e;
+  if (isBrowser()) {
+    if (toValidLocationUrl(cleanedHostConfig) === window.location.origin) {
+      delete cleanedHostConfig.host;
     }
-  };
-  if (noCache) {
-    csrfTokens[locationUrl] = fetchCsrfToken();
-    return csrfTokens[locationUrl];
   }
-  csrfTokens[locationUrl] = csrfTokens[locationUrl] || fetchCsrfToken();
-  return csrfTokens[locationUrl];
+  if (cleanedHostConfig.authType && authTypesThatCanBeOmitted.includes(cleanedHostConfig.authType)) {
+    delete cleanedHostConfig.authType;
+  }
+  return cleanedHostConfig;
 }
-var csrfTokens = {};
-
-// src/auth/internal/default-auth-modules/cookie.ts
-function isModifyingVerb(verb) {
-  return !(verb === "get" || verb === "GET");
+function globalReplacer(key, value) {
+  if (typeof value === "function") {
+    return void 0;
+  }
+  return value;
 }
-async function getRestCallAuthParams4({
-  hostConfig,
-  method
-}) {
-  const headers = {};
-  if (isModifyingVerb(method)) {
-    headers["qlik-csrf-token"] = await getCsrfToken(hostConfig);
+function serializeHostConfig(hostConfig) {
+  const hostConfigToUse = removeDefaults(withResolvedHostConfig(hostConfig));
+  const sorted = sortKeys(hostConfigToUse);
+  return JSON.stringify(sorted, globalReplacer);
+}
+var registeredHostConfigs = /* @__PURE__ */ new Map();
+function registerHostConfig(name, hostConfig) {
+  if (hostConfig?.reference) {
+    throw new InvalidHostConfigError("Cannot register a host config with a reference");
   }
-  if (hostConfig.webIntegrationId) {
-    headers["qlik-web-integration-id"] = hostConfig.webIntegrationId;
+  if (registeredHostConfigs.has(name)) {
+    console.warn(`registerHostConfig: Host config with name "${name}" is already registered. Overwriting.`);
   }
-  return { headers, queryParams: {}, credentials: getCredentialsForCookieAuth(hostConfig) };
+  registeredHostConfigs.set(name, hostConfig);
 }
-async function getWebSocketAuthParams4({
-  hostConfig
-}) {
-  const params = {
-    // Bypass the cache to get one rest call out the door that can catch a 401 since the websocket only returns a general error
-    "qlik-csrf-token": await getCsrfToken(hostConfig, true)
-  };
-  if (hostConfig.webIntegrationId) {
-    params["qlik-web-integration-id"] = hostConfig.webIntegrationId;
+function unregisterHostConfig(name) {
+  if (registeredHostConfigs.has(name)) {
+    registeredHostConfigs.delete(name);
+  } else {
+    console.warn(`unregisterHostConfig: Host config with name "${name}" not found.`);
   }
-  return { queryParams: params };
 }
-async function handleAuthenticationError4({
-  hostConfig,
-  status
-}) {
-  clearCsrfToken(hostConfig);
-  if (status === 403) {
-    return {
-      preventDefault: false,
-      retry: true
-    };
-  }
-  const webIntegrationParam = hostConfig.webIntegrationId ? `qlik-web-integration-id=${hostConfig?.webIntegrationId}&` : "";
-  const locationUrl = toValidLocationUrl(hostConfig);
-  if (hostConfig.authRedirectUserConfirmation) {
-    await hostConfig.authRedirectUserConfirmation();
-  }
-  globalThis.location.replace(
-    `${locationUrl}/login?${webIntegrationParam}returnto=${encodeURIComponent(globalThis.location.href)}`
-  );
-  return {
-    preventDefault: true
-  };
+function getRegisteredHostConfig(name) {
+  return registeredHostConfigs.get(name);
+}
+function setDefaultHostConfig(hostConfig) {
+  registerHostConfig("default", hostConfig || {});
+}
+function getDefaultHostConfig() {
+  return getRegisteredHostConfig("default") || {};
 }
-var cookie_default = {
-  getRestCallAuthParams: getRestCallAuthParams4,
-  getWebSocketAuthParams: getWebSocketAuthParams4,
-  handleAuthenticationError: handleAuthenticationError4,
-  validateHostConfig: (hostConfig) => internalValidateHostConfig(hostConfig, {
-    requiredProps: [],
-    optionalProps: ["webIntegrationId", "crossSiteCookies", "anonymousMode"]
-  })
-};
 
-// src/auth/internal/default-auth-modules/none.ts
-function getRestCallAuthParams5() {
-  return Promise.resolve({ headers: {}, queryParams: {}, credentials: "same-origin" });
+// src/auth/auth-functions.ts
+globalThis.loggingOut = false;
+var lastErrorMessage = "";
+function logToConsole({ message }) {
+  if (message !== lastErrorMessage) {
+    lastErrorMessage = message;
+    console.error(message);
+  }
 }
-function getWebSocketAuthParams5() {
-  return Promise.resolve({ queryParams: {} });
+function determineAuthType2(hostConfig) {
+  return determineAuthType(hostConfig);
 }
-function handleAuthenticationError5() {
-  return Promise.resolve({});
+function isHostCrossOrigin(hostConfig) {
+  if (!globalThis.location?.origin) {
+    return true;
+  }
+  const hostConfigToUse = withResolvedHostConfig(hostConfig);
+  if (Object.keys(hostConfigToUse).length === 0) {
+    return false;
+  }
+  try {
+    const locationUrl = new URL(toValidLocationUrl(hostConfigToUse));
+    return locationUrl.origin !== globalThis.location.origin;
+  } catch {
+  }
+  return false;
 }
-var none_default = {
-  getRestCallAuthParams: getRestCallAuthParams5,
-  getWebSocketAuthParams: getWebSocketAuthParams5,
-  handleAuthenticationError: handleAuthenticationError5,
-  validateHostConfig: (hostConfig) => internalValidateHostConfig(hostConfig, { requiredProps: [], optionalProps: [] })
-};
-
-// src/auth/internal/default-auth-modules/oauth/callback.ts
-function handleOAuthCallback() {
-  const urlParams = new URLSearchParams(globalThis.location.search);
-  const callbackCode = urlParams.get("code") || void 0;
-  const callbackState = urlParams.get("state") || void 0;
-  if (urlParams.get("error")) {
-    const element = document.createElement("pre");
-    element.innerText = `<code>${JSON.stringify({
-      error: urlParams.get("error"),
-      error_code: urlParams.get("error_code"),
-      error_description: urlParams.get("error_description"),
-      error_detail: urlParams.get("error_detail"),
-      error_uri: urlParams.get("error_uri")
-    })}</code>`;
-    document.body.prepend(element);
+async function isWindows(hostConfig) {
+  const hostConfigToUse = withResolvedHostConfig(hostConfig);
+  if (typeof hostConfigToUse.forceIsWindows === "boolean") {
+    return hostConfigToUse.forceIsWindows;
   }
-  const topic = loadAndDeleteFromSessionStorage("", "client-in-progress");
-  if (topic && callbackCode && callbackState) {
-    const stateFromLocalStorage = loadAndDeleteFromSessionStorage(topic, "state");
-    const finalRedirectUri = loadAndDeleteFromSessionStorage(topic, "href");
-    if (stateFromLocalStorage && stateFromLocalStorage === callbackState && finalRedirectUri) {
-      saveInSessionStorage(topic, "code", callbackCode);
-      if (finalRedirectUri !== globalThis.location.href) {
-        globalThis.location.replace(finalRedirectUri);
-      }
-    }
+  if (hostConfigToUse.authType === "cookie") {
+    return false;
+  }
+  if (hostConfigToUse.authType === "windowscookie") {
+    return true;
   }
+  return (await getPlatform({ hostConfig })).isWindows;
 }
-
-// src/auth/internal/default-auth-modules/oauth.ts
-if (isBrowser()) {
-  handleOAuthCallback();
+function toValidLocationUrl(hostConfig) {
+  const url = withResolvedHostConfig(hostConfig)?.host?.trim();
+  let locationUrl;
+  if (!url) {
+    locationUrl = "";
+  } else if (url.toLowerCase().startsWith("https://") || url.toLowerCase().startsWith("http://")) {
+    locationUrl = url;
+  } else {
+    locationUrl = `https://${url}`;
+  }
+  while (locationUrl[locationUrl.length - 1] === "/") {
+    locationUrl = locationUrl.substring(0, locationUrl.length - 1);
+  }
+  return locationUrl;
 }
-async function handlePotentialAuthenticationErrorAndRetry2(hostConfig, fn) {
+function toValidWebsocketLocationUrl(hostConfig) {
+  const url = withResolvedHostConfig(hostConfig)?.host;
+  let locationUrl;
+  if (!url) {
+    locationUrl = globalThis.location.origin;
+  } else if (url.toLowerCase().startsWith("https://") || url.toLowerCase().startsWith("http://")) {
+    locationUrl = url;
+  } else {
+    locationUrl = `https://${url}`;
+  }
+  while (locationUrl[locationUrl.length - 1] === "/") {
+    locationUrl = locationUrl.substring(0, locationUrl.length - 1);
+  }
+  return locationUrl.replace(leadingHttp, "ws");
+}
+async function getWebSocketAuthParams8(props) {
+  const hostConfigToUse = withResolvedHostConfig(props.hostConfig);
   try {
-    return await fn();
+    const authModule = await getAuthModule(hostConfigToUse);
+    return await authModule.getWebSocketAuthParams({
+      ...props,
+      hostConfig: hostConfigToUse
+    });
   } catch (err) {
-    const { retry } = await handleAuthenticationError6({
-      hostConfig,
-      canRetry: true
+    (hostConfigToUse.onAuthFailed || logToConsole)(normalizeAuthModuleError(err));
+    throw err;
+  }
+}
+async function getWebResourceAuthParams3(props) {
+  const hostConfigToUse = withResolvedHostConfig(props.hostConfig);
+  try {
+    const authModule = await getAuthModule(hostConfigToUse);
+    return await authModule.getWebResourceAuthParams?.({
+      ...props,
+      hostConfig: hostConfigToUse
+    }) || { queryParams: {} };
+  } catch (err) {
+    (hostConfigToUse.onAuthFailed || logToConsole)(normalizeAuthModuleError(err));
+    throw err;
+  }
+}
+async function handleAuthenticationError8(props) {
+  const hostConfigToUse = withResolvedHostConfig(props.hostConfig);
+  const authModule = await getAuthModule(hostConfigToUse);
+  const result2 = await authModule.handleAuthenticationError({
+    ...props,
+    hostConfig: hostConfigToUse
+  });
+  const willRetry = props.canRetry && result2.retry;
+  const willHangUntilANewPageIsLoaded = result2.preventDefault;
+  if (!willRetry && !willHangUntilANewPageIsLoaded) {
+    const { status, errorBody } = props;
+    (hostConfigToUse.onAuthFailed || logToConsole)(normalizeInbandAuthError({ status, errorBody }));
+  }
+  return result2;
+}
+async function getRestCallAuthParams8(props) {
+  const hostConfigToUse = withResolvedHostConfig(props.hostConfig);
+  try {
+    const authModule = await getAuthModule(hostConfigToUse);
+    return await authModule.getRestCallAuthParams({
+      ...props,
+      hostConfig: hostConfigToUse
     });
-    if (retry) {
-      return fn();
-    }
+  } catch (err) {
+    (hostConfigToUse.onAuthFailed || logToConsole)(normalizeAuthModuleError(err));
     throw err;
   }
 }
-async function getRestCallAuthParams6({
-  hostConfig
-}) {
-  return {
-    headers: {
-      Authorization: `Bearer ${await getOAuthAccessToken(hostConfig)}`
-    },
-    queryParams: {},
-    credentials: "omit"
-  };
+function registerAuthModule2(name, authModule) {
+  registerAuthModule(name, authModule);
 }
-async function getWebSocketAuthParams6({
-  hostConfig
-}) {
-  const websocketAccessToken = await handlePotentialAuthenticationErrorAndRetry2(hostConfig, async () => {
-    const accessToken = await getOAuthAccessToken(hostConfig);
-    return exchangeAccessTokenForTemporaryToken(hostConfig, accessToken, "websocket");
-  });
-  return {
-    queryParams: {
-      accessToken: websocketAccessToken
-    }
-  };
+function setDefaultHostConfig2(hostConfig) {
+  setDefaultHostConfig(hostConfig);
 }
-async function getWebResourceAuthParams3({
-  hostConfig
-}) {
-  const webResourceAccessToken = await handlePotentialAuthenticationErrorAndRetry2(hostConfig, async () => {
-    const accessToken = await getOAuthAccessToken(hostConfig);
-    return exchangeAccessTokenForTemporaryToken(hostConfig, accessToken, "webresource");
-  });
-  return {
-    queryParams: {
-      accessToken: webResourceAccessToken
-    }
-  };
+function registerHostConfig2(name, hostConfig) {
+  registerHostConfig(name, hostConfig);
 }
-async function handleAuthenticationError6({
-  hostConfig
-}) {
-  if (hostConfig.getAccessToken) {
-    clearStoredOauthTokens(hostConfig);
-    return {
-      preventDefault: false,
-      retry: true
-    };
-  }
-  if (isBrowser()) {
-    if (hostConfig.performInteractiveLogin) {
-      clearStoredOauthTokens(hostConfig);
-      return {
-        retry: true
-      };
+function unregisterHostConfig2(name) {
+  unregisterHostConfig(name);
+}
+function serializeHostConfig2(hostConfig) {
+  return serializeHostConfig(hostConfig);
+}
+function checkForCrossDomainRequest(hostConfig) {
+  const hostConfigToUse = withResolvedHostConfig(hostConfig);
+  if (isHostCrossOrigin(hostConfigToUse)) {
+    if (Object.keys(hostConfigToUse).length === 0) {
+      throw new InvalidHostConfigError("a host config must be provided when making a cross domain request");
     }
-    if (hostConfig.authRedirectUserConfirmation) {
-      await hostConfig.authRedirectUserConfirmation();
+    if (!hostConfigToUse.host) {
+      throw new InvalidHostConfigError(
+        "A 'host' property must be set in host config when making a cross domain request"
+      );
     }
-    startFullPageLoginFlow(hostConfig);
-    return {
-      preventDefault: true
-    };
   }
-  await refreshAccessToken(hostConfig);
-  return {
-    preventDefault: false,
-    retry: true
-  };
-}
-var oauth_default = {
-  getRestCallAuthParams: getRestCallAuthParams6,
-  getWebSocketAuthParams: getWebSocketAuthParams6,
-  getWebResourceAuthParams: getWebResourceAuthParams3,
-  handleAuthenticationError: handleAuthenticationError6,
-  validateHostConfig: (hostConfig) => internalValidateHostConfig(hostConfig, {
-    requiredProps: ["clientId"],
-    optionalProps: [
-      "clientSecret",
-      "redirectUri",
-      "accessTokenStorage",
-      "scope",
-      "subject",
-      "userId",
-      "noCache",
-      "getAccessToken",
-      "performInteractiveLogin"
-    ]
-  })
-};
-
-// src/auth/internal/default-auth-modules/reference.ts
-function getRestCallAuthParams7() {
-  throw new Error("getRestCallAuthParams should never be called for reference auth module");
-}
-function getWebSocketAuthParams7() {
-  throw new Error("getWebSocketAuthParams should never be called for reference auth module");
-}
-function handleAuthenticationError7() {
-  throw new Error("handleAuthenticationError should never be called for reference auth module");
 }
-var reference_default = {
-  getRestCallAuthParams: getRestCallAuthParams7,
-  getWebSocketAuthParams: getWebSocketAuthParams7,
-  handleAuthenticationError: handleAuthenticationError7,
-  validateHostConfig: (hostConfig) => internalValidateHostConfig(hostConfig, { requiredProps: ["reference"], optionalProps: [] })
+var logout = () => {
+  globalThis.loggingOut = true;
+  globalThis.location.href = "/logout";
 };
-
-// src/auth/internal/default-auth-modules/windows-cookie/xrf-keys.ts
-var xrfKeys = {};
-function createXrfKey() {
-  let result2 = "";
-  for (let i = 0; i < 16; i += 1) {
-    const j = Math.floor(Math.random() * 62);
-    if (j < 10) {
-      result2 += j;
-    } else if (j > 9 && j < 36) {
-      result2 += String.fromCharCode(j + 55);
-    } else {
-      result2 += String.fromCharCode(j + 61);
-    }
+var leadingHttp = /^http/;
+function normalizeInbandAuthError({ errorBody, status }) {
+  const authError = errorBody;
+  if (typeof authError?.errors === "object") {
+    const err = new AuthorizationError(authError?.errors);
+    return { message: err.message };
   }
-  return result2;
-}
-function getXrfKey(hostConfig) {
-  const locationUrl = toValidLocationUrl(hostConfig);
-  xrfKeys[locationUrl] = xrfKeys[locationUrl] || createXrfKey();
-  return xrfKeys[locationUrl];
-}
-
-// src/auth/internal/default-auth-modules/windows-cookie.ts
-async function getRestCallAuthParams8({
-  hostConfig
-}) {
-  return {
-    headers: {
-      "X-Qlik-XrfKey": getXrfKey(hostConfig)
-    },
-    queryParams: {
-      xrfkey: getXrfKey(hostConfig)
-    },
-    credentials: getCredentialsForCookieAuth(hostConfig)
-  };
+  return { message: `HTTP ${status}` };
 }
-async function getWebSocketAuthParams8({
-  hostConfig
-}) {
-  return {
-    queryParams: {
-      xrfkey: getXrfKey(hostConfig),
-      "qlik-csrf-token": await getCsrfToken(hostConfig, true)
-    }
-  };
+function normalizeAuthModuleError(err) {
+  return { message: err.message || "Unknown error" };
 }
-async function handleAuthenticationError8({
-  hostConfig
-}) {
-  if (hostConfig.loginUri) {
-    if (hostConfig.authRedirectUserConfirmation) {
-      await hostConfig.authRedirectUserConfirmation();
+function withResolvedHostConfig(hostConfig) {
+  if (hostConfig?.reference) {
+    const refConfig = getRegisteredHostConfig(hostConfig.reference);
+    if (!refConfig) {
+      throw new InvalidHostConfigError(
+        `Host config with name "${hostConfig.reference}" not found.`
+      );
     }
-    globalThis.location.replace(
-      hostConfig.loginUri.replace("{location}", encodeURIComponent(globalThis.location.href))
-    );
-    return {
-      preventDefault: true
-    };
+    return refConfig;
   }
-  return {
-    // Do nothing, just let the error be thrown to calling code
-  };
-}
-var windows_cookie_default = {
-  getRestCallAuthParams: getRestCallAuthParams8,
-  getWebSocketAuthParams: getWebSocketAuthParams8,
-  handleAuthenticationError: handleAuthenticationError8,
-  validateHostConfig: (hostConfig) => internalValidateHostConfig(hostConfig, {
-    requiredProps: [],
-    optionalProps: ["loginUri", "crossSiteCookies"]
-  })
-};
-
-// src/auth/auth.ts
-globalThis.loggingOut = false;
-var authModulesRegistered = false;
-function registerDefaultAuthModules() {
-  if (!authModulesRegistered) {
-    registerAuthModule("apikey", apikey_default);
-    registerAuthModule("cookie", cookie_default);
-    registerAuthModule("none", none_default);
-    registerAuthModule("oauth2", oauth_default);
-    registerAuthModule("anonymous", anonymous_default);
-    registerAuthModule("windowscookie", windows_cookie_default);
-    registerAuthModule("reference", reference_default);
-    authModulesRegistered = true;
+  if (hostConfig && Object.keys(hostConfig).length > 0) {
+    return hostConfig;
   }
+  return getDefaultHostConfig();
+}
+function getDefaultHostConfig2() {
+  return getDefaultHostConfig();
 }
-registerDefaultAuthModules();
-var auth = {
-  logout,
-  registerAuthModule,
-  setDefaultHostConfig,
-  registerHostConfig,
-  unregisterHostConfig,
-  getRestCallAuthParams,
-  getWebSocketAuthParams,
-  getWebResourceAuthParams,
-  handleAuthenticationError,
-  toValidLocationUrl,
-  toValidWebsocketLocationUrl,
-  isWindows,
-  isHostCrossOrigin,
-  determineAuthType,
-  serializeHostConfig
-};
-var auth_default = auth;
 
 // src/invoke-fetch/internal/invoke-fetch-helpers.ts
 function encodeQueryParams(query) {
@@ -1981,14 +2032,14 @@ async function getInvokeFetchUrlParams({
     headers: authHeaders,
     queryParams: authQueryParams,
     credentials
-  } = await getRestCallAuthParams({
+  } = await getRestCallAuthParams8({
     hostConfig: options?.hostConfig,
     method
   });
   const url = locationUrl + applyPathVariables(pathTemplate, pathVariables);
   const queryString = encodeQueryParams({ ...query, ...authQueryParams });
   const completeUrl = toCompleteUrl(url, queryString);
-  const cacheKey = toCacheKey(url, queryString, serializeHostConfig(options?.hostConfig), options?.headers);
+  const cacheKey = toCacheKey(url, queryString, serializeHostConfig2(options?.hostConfig), options?.headers);
   return { completeUrl, cacheKey, authHeaders, credentials };
 }
 function invokeFetchWithUrl(api, props) {
@@ -2067,7 +2118,7 @@ function invokeFetchWithUrlAndRetry(api, {
   return cloneResultPromise(resultPromiseAfterCacheClearing);
 }
 function addPagingFunctions(api, value, method, body, options, authHeaders, credentials) {
-  const serializedHostConfig = serializeHostConfig(options?.hostConfig);
+  const serializedHostConfig = serializeHostConfig2(options?.hostConfig);
   return value.then((resp) => {
     const dataWithPotentialLinks = resp.data;
     if (!dataWithPotentialLinks) {
@@ -2114,7 +2165,7 @@ async function interceptAuthenticationErrors(hostConfig, resultPromise, performR
       if (globalThis.loggingOut) {
         return neverResolvingPromise();
       }
-      const { retry, preventDefault } = await handleAuthenticationError({
+      const { retry, preventDefault } = await handleAuthenticationError8({
         hostConfig,
         status: err.status,
         headers: err.headers,
@@ -2166,50 +2217,6 @@ async function download(blob, filename) {
   }
 }
 
-// src/invoke-fetch/invoke-fetch-error.ts
-var InvokeFetchError = class extends Error {
-  status;
-  headers;
-  data;
-  constructor(errorMessage, status, headers, data) {
-    super(errorMessage);
-    this.status = status;
-    this.headers = headers;
-    this.data = data;
-    this.stack = cleanStack(this.stack);
-  }
-};
-var EncodingError = class extends Error {
-  contentType;
-  data;
-  constructor(errorMessage, contentType, data) {
-    super(errorMessage);
-    this.contentType = contentType;
-    this.data = data;
-    this.stack = cleanStack(this.stack);
-  }
-};
-var regex = /^.+\/qmfe-api(?:\.js)?:(\d+)(?::\d+)?$/gim;
-var isFromQmfeApi = (line) => {
-  const matches = line.match(regex);
-  return Boolean(matches && matches.length > 0);
-};
-function cleanStack(stack) {
-  if (!stack) {
-    return stack;
-  }
-  const newStack = [];
-  const lines = stack.split("\n");
-  lines.reverse();
-  for (const line of lines) {
-    if (isFromQmfeApi(line)) {
-      break;
-    }
-    newStack.unshift(line);
-  }
-  return newStack.join("\n");
-}
-
 // src/invoke-fetch/invoke-fetch-functions.ts
 var defaultUserAgent = "qmfe-api/latest";
 async function invokeFetch(api, props, interceptors) {
@@ -2301,44 +2308,33 @@ async function parseFetchResponse(fetchResponse, url) {
   return invokeFetchResponse;
 }
 
-// src/invoke-fetch/invoke-fetch.ts
-var invokeFetchExp = {
-  invokeFetch,
-  clearApiCache,
-  parseFetchResponse
-};
-var invoke_fetch_default = invokeFetchExp;
-
 export {
   getPlatform,
+  generateRandomString,
+  exposeInternalApiOnWindow,
+  InvokeFetchError,
+  EncodingError,
+  invokeFetch,
+  clearApiCache,
+  parseFetchResponse,
   InvalidHostConfigError,
   UnexpectedAuthTypeError,
   InvalidAuthTypeError,
   AuthorizationError,
+  determineAuthType2 as determineAuthType,
   isHostCrossOrigin,
   isWindows,
   toValidLocationUrl,
   toValidWebsocketLocationUrl,
-  getWebSocketAuthParams,
-  getWebResourceAuthParams,
-  handleAuthenticationError,
-  getRestCallAuthParams,
-  getAccessToken,
+  getWebSocketAuthParams8 as getWebSocketAuthParams,
+  getWebResourceAuthParams3 as getWebResourceAuthParams,
+  handleAuthenticationError8 as handleAuthenticationError,
+  getRestCallAuthParams8 as getRestCallAuthParams,
   registerAuthModule2 as registerAuthModule,
-  setDefaultHostConfig,
-  registerHostConfig,
-  unregisterHostConfig,
-  serializeHostConfig,
-  determineAuthType,
-  checkForCrossDomainRequest,
+  setDefaultHostConfig2 as setDefaultHostConfig,
+  registerHostConfig2 as registerHostConfig,
+  unregisterHostConfig2 as unregisterHostConfig,
+  serializeHostConfig2 as serializeHostConfig,
   logout,
-  generateRandomString,
-  exposeInternalApiOnWindow,
-  InvokeFetchError,
-  EncodingError,
-  invokeFetch,
-  clearApiCache,
-  parseFetchResponse,
-  invoke_fetch_default,
-  auth_default
+  getDefaultHostConfig2 as getDefaultHostConfig
 };